Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://xelfin.in/
Scan Date: Jan. 17, 2026, 4:57 p.m. | Duration: 2 minutes, 40.82 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
F (0/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 1 |
| High | 2 |
| Medium | 7 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 4 |
| Medium | 2 |
| Low | 0 |
Scan Summary
| 1 | Input Hostname | xelfin.in |
| 2 | Target URL | https://xelfin.in/ |
| 3 | Scan Start Time | Jan. 17, 2026, 4:57 p.m. |
| 4 | Scan Duration | 2 minutes, 40.82 seconds |
| 5 | Total Test Cases | 42 |
| 6 | Passed Cases | 15 |
| 7 | Failed Cases | 21 |
Target Information
| 1 | Target URL | https://xelfin.in/ |
| 2 | IP Address | 132.148.96.3 |
| 3 | Hosting Provider | Not Disclosed |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP:8.3.28 |
| 6 | Web Server | apache |
| 7 | CMS | [{'WordPress': '6.9'}, 'Contentful'] |
| 8 | Operating System | Linux/Unix |
| 9 | HTTPS Enabled | Enabled |
| 10 | WAF Detected | Not Detected |
Original Header Response
Date: Sat, 17 Jan 2026 11:27:34 GMT
Server: Apache
X-Powered-By: PHP/8.3.28
Permissions-Policy: private-state-token-redemption=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com"), private-state-token-issuance=(self "https://www.google.com" "https://www.gstatic.com" "https://recaptcha.net" "https://challenges.cloudflare.com" "https://hcaptcha.com")
Link: <https://xelfin.in/wp-json/>; rel="https://api.w.org/", <https://xelfin.in/wp-json/wp/v2/pages/7105>; rel="alternate"; title="JSON"; type="application/json", <https://xelfin.in/>; rel=shortlink
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Content-Encoding: br
Content-Length: 27356
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
Detailed Technical Analysis
| 1 | Open Ports | [80, 443] |
| 2 | Debug Method Enabled | No |
| 3 | OPTIONS Method | No |
| 4 | DKIM | Not Detected |
| 5 | SPF | Not Detected |
| 6 | DMARC | Not Detected |
| 7 | Captcha Detection | Not Detected |
| 8 | Password field with autocomplete | Not Detected |
| 9 | Unencrypted Viewstate | Not Detected |
Additional Findings
Javascript Libraries
Secret Files Detection
Cross Domain Inclusion
- xelfin.in
- img1.wsimg.com
- gmpg.org
- themedemo.commercegurus.com
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 1 | php-8.3.28 - CVE-2024-3566 | CVE-2024-3566 | Critical | 9.8 | A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | No solution provided. |
| 2 | php-8.3.28 - CVE-2013-2220 | CVE-2013-2220 | High | 7.5 | Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large Vendor Specific Attributes (VSA) length value. | No solution provided. |
| 3 | php-8.3.28 - CVE-2025-14180 | CVE-2025-14180 | High | 8.2 | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. | No solution provided. |
| 8 | WordPress-6.9 - CVE-2012-2916 | CVE-2012-2916 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php. | No solution provided. |
| 9 | WordPress-6.9 - CVE-2012-2917 | CVE-2012-2917 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php. | No solution provided. |
| 10 | WordPress-6.9 - CVE-2012-2920 | CVE-2012-2920 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information. | No solution provided. |
| 11 | WordPress-6.9 - CVE-2012-2759 | CVE-2012-2759 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php. | No solution provided. |
| 12 | WordPress-6.9 - CVE-2013-5918 | CVE-2013-5918 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | No solution provided. |
| 13 | php-8.3.28 - CVE-2025-14177 | CVE-2025-14177 | Medium | 6.3 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | No solution provided. |
| 14 | php-8.3.28 - CVE-2025-14178 | CVE-2025-14178 | Medium | 6.5 | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. | No solution provided. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 4 | Missing Content-Security-Policy header | CWE-693 | High | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 5 | Missing Strict-Transport-Security header | CWE-319 | High | Sensitive information is exposed in transit due to the absence of secure channel enforcement. | Enable HSTS with: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". |
| 6 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 7 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 15 | Missing Referrer-Policy header | CWE-200 | Medium | Exposure of sensitive URLs or information to third-party sites. | Set a secure referrer policy such as: "Referrer-Policy: no-referrer". |
| 16 | Missing X-Content-Type-Options header | CWE-16 | Medium | Improperly configured security headers allow MIME-type confusion attacks. | Add the header: "X-Content-Type-Options: nosniff". |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | WAF-Detection |
| Sr. No | Test Case |
|---|---|
| 24 | SSL Certificate Validation |
| 25 | Loose Cookie Domain |
| 26 | CSP Header Analysis |
| 27 | OpenAPI Disclosure |
| 28 | Password Leak Detection |
| 29 | Path Disclosure |
| 30 | Error Messages Analysis |
| 31 | Rate Limit Headers |
| 32 | Email Extraction |
| 33 | Xml-RPC Endpoint Detection |
| 34 | HTTP Methods Allowed |
| 35 | Enabled Debug Method |
| 36 | Enabled OPTIONS Method |
| 37 | Cross-Domain Inclusion |
| 38 | File Upload Detection |
| 39 | Client Access Policies |
| 40 | X-FRAME OPTIONS |
| 41 | X-XSS PROTECTION |
| 42 | .htaccess Exposure |
Passed & Failed Cases
Passed Cases (15)
- Open Ports Scan
- Secure Connection
- Directory Listing Exposed
- SSL Certificate
- Loose cookie domain
- Content Security Policy Misconfiguration
- OpenAPI Disclosure
- Password Leakage
- Error Messages Analysis
- Path Disclosure
- Rate Limit Headers
- Emails exposed
- File Upload Detection
- .htaccess Exposure
- Host Header Injection
Failed Cases (21)
- Server Disclosure
- Technology Disclosure
- Mixed Content (HTTP on HTTPS)
- Javascript Libraries
- Passwords submitted unencrypted
- Missing Security Headers
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Missing Referrer-Policy header
- Missing X-Content-Type-Options header
- Missing HttpOnly flag in cookies
- Missing Secure flag in cookies
- Secret Files Detection
- robots.txt file found
- WAF Detection
- Enabled Debug Method
- Enabled OPTIONS Method
- Cross-Domain Inclusion
- Client Access Policies
- X-FRAME OPTIONS
- X-XSS PROTECTION
View Raw Scan Data (JSON)
{
"host": "xelfin.in",
"host_url": "https://xelfin.in/",
"task_id": "6bbfb4e2-39c1-4360-b8dd-32637e4a78e6",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Date": "Sat, 17 Jan 2026 11:27:34 GMT",
"Server": "Apache",
"X-Powered-By": "PHP/8.3.28",
"Permissions-Policy": "private-state-token-redemption=(self \"https://www.google.com\" \"https://www.gstatic.com\" \"https://recaptcha.net\" \"https://challenges.cloudflare.com\" \"https://hcaptcha.com\"), private-state-token-issuance=(self \"https://www.google.com\" \"https://www.gstatic.com\" \"https://recaptcha.net\" \"https://challenges.cloudflare.com\" \"https://hcaptcha.com\")",
"Link": "<https://xelfin.in/wp-json/>; rel=\"https://api.w.org/\", <https://xelfin.in/wp-json/wp/v2/pages/7105>; rel=\"alternate\"; title=\"JSON\"; type=\"application/json\", <https://xelfin.in/>; rel=shortlink",
"Upgrade": "h2,h2c",
"Connection": "Upgrade, Keep-Alive",
"Vary": "Accept-Encoding",
"Content-Encoding": "br",
"Content-Length": "27356",
"Keep-Alive": "timeout=5",
"Content-Type": "text/html; charset=UTF-8"
},
"ip_address": "132.148.96.3",
"hosting_provider": null,
"registrar": null,
"cms": [
{
"WordPress": "6.9"
},
"Contentful"
],
"cms_cve": {
"Total CVEs": 90,
"Critical": 0,
"High": 31,
"Medium": 59,
"Low": 0,
"WordPress-6.9": [
{
"Id": "CVE-2012-2916",
"Published": "2012-05-21T18:55:07.600",
"Description": "Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php.",
"Severity": "MEDIUM",
"Score": 4.3,
"CWE": "CWE-79"
},
{
"Id": "CVE-2012-2917",
"Published": "2012-05-21T18:55:07.647",
"Description": "Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php.",
"Severity": "MEDIUM",
"Score": 4.3,
"CWE": "CWE-79"
},
{
"Id": "CVE-2012-2920",
"Published": "2012-05-21T22:55:01.197",
"Description": "Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.",
"Severity": "MEDIUM",
"Score": 4.3,
"CWE": "CWE-79"
},
{
"Id": "CVE-2012-2759",
"Published": "2012-05-22T16:55:01.570",
"Description": "Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php.",
"Severity": "MEDIUM",
"Score": 4.3,
"CWE": "CWE-79"
},
{
"Id": "CVE-2013-5918",
"Published": "2013-09-23T10:18:59.297",
"Description": "Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.",
"Severity": "MEDIUM",
"Score": 4.3,
"CWE": "CWE-79"
}
]
},
"server": "apache",
"server_disclosure_cve": null,
"programming_language": "PHP:8.3.28",
"technology_disclosure_cve": {
"Total CVEs": 6,
"Critical": 1,
"High": 2,
"Medium": 3,
"Low": 0,
"php-8.3.28": [
{
"Id": "CVE-2013-2220",
"Published": "2013-07-31T13:20:27.423",
"Description": "Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large Vendor Specific Attributes (VSA) length value.",
"Severity": "HIGH",
"Score": 7.5,
"CWE": "CWE-119"
},
{
"Id": "CVE-2024-3566",
"Published": "2024-04-10T16:15:16.083",
"Description": "A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.",
"Severity": "CRITICAL",
"Score": 9.8,
"CWE": "CWE-77"
},
{
"Id": "CVE-2025-14177",
"Published": "2025-12-27T20:15:40.400",
"Description": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.",
"Severity": "MEDIUM",
"Score": 6.3,
"CWE": "CWE-125"
},
{
"Id": "CVE-2025-14178",
"Published": "2025-12-27T20:15:40.570",
"Description": "In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.",
"Severity": "MEDIUM",
"Score": 6.5,
"CWE": "CWE-190"
},
{
"Id": "CVE-2025-14180",
"Published": "2025-12-27T20:15:40.717",
"Description": "In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \\x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.",
"Severity": "HIGH",
"Score": 8.2,
"CWE": "CWE-476"
}
]
},
"mixed_content_analysis": {
"Source": [
"http://xelfin.in/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1746343439",
"http://xelfin.in/wp-content/uploads/elementor/google-fonts/css/robotoslab.css?ver=1746343448",
"http://xelfin.in/wp-content/uploads/2025/05/xelfin_tm.png",
"http://xelfin.in/wp-content/uploads/2020/12/menu_returns.png",
"http://xelfin.in/wp-content/uploads/2020/12/menu_help.png",
"http://xelfin.in/wp-content/uploads/2020/12/menu_shipping.png",
"http://xelfin.in/wp-content/uploads/2025/12/beige_printed_kurti_pant_set_with_chiffon-sg272857_8-Photoroom-728x1024.png",
"http://xelfin.in/wp-content/uploads/2025/04/Photoroom_20240630_162254.jpg",
"http://xelfin.in/wp-content/uploads/2025/04/IMG_6164.jpg",
"http://xelfin.in/wp-content/uploads/2025/04/Photoroom_20240720_195135.jpg",
"http://xelfin.in/wp-content/uploads/2025/04/Photoroom_009_20240825_231013.jpg",
"http://xelfin.in/wp-content/uploads/2025/04/IMG_3215-scaled.jpg",
"http://xelfin.in/wp-content/uploads/2025/04/Photoroom_20240705_214352_2.jpg",
"http://xelfin.in/wp-content/uploads/2022/08/light-bulb-outlined-hand-drawn-tool.png",
"http://xelfin.in/wp-content/uploads/2022/08/chatting-speech-bubbles-hand-drawn-bubbles-couple.png",
"http://xelfin.in/wp-content/uploads/2022/08/shopping-cart-sketch.png",
"http://xelfin.in/wp-content/uploads/2022/08/35170557-c59b-4e40-b34a-96c36e178c30-200x300.png",
"http://xelfin.in/wp-content/uploads/2025/12/Xelfin-Suits-2-2048x1024.png"
],
"Mixed content (HTTP on HTTPS)": {
"issue": "Mixed content (HTTP on HTTPS)",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page.",
"fix": "Ensure all assets (JS, CSS, images) load using HTTPS only."
}
},
"operating_system": "Linux/Unix",
"open_ports": [
80,
443
],
"database_technology": null,
"javascript_libraries": [
"jquery_ui",
{
"jquery": {
"version": "3.7.1",
"source": "https://xelfin.in/wp-includes/js/jquery/jquery.min.js?ver=3.7.1"
},
"jquery_migrate": {
"version": "3.4.1",
"source": "https://xelfin.in/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1"
},
"woocommerce": {
"version": "10.4.3",
"source": "https://xelfin.in/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=10.4.3"
},
"commercegurus-commercekit": {
"version": "2.4.1",
"source": "https://xelfin.in/wp-content/plugins/commercegurus-commercekit/assets/js/ajax-search.js?ver=2.4.1"
},
"elementor": {
"version": "3.34.1",
"source": "https://xelfin.in/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.34.1"
}
}
],
"javascript_libraries_cve": null,
"secure_connection": "Enabled",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"STRICT-TRANSPORT-SECURITY",
"X-FRAME-OPTIONS",
"CONTENT-SECURITY-POLICY",
"X-CONTENT-TYPE-OPTIONS",
"X-XSS-PROTECTION",
"REFERRER-POLICY",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": {
"issue": "Missing Content-Security-Policy header",
"severity": "High",
"cwe_id": "CWE-693",
"cwe_description": "Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection.",
"fix": "Implement a strong Content-Security-Policy header such as: \"Content-Security-Policy: default-src 'self'; script-src 'self'\"."
},
"missing_strict_transport_security_header": {
"issue": "Missing Strict-Transport-Security header",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information is exposed in transit due to the absence of secure channel enforcement.",
"fix": "Enable HSTS with: \"Strict-Transport-Security: max-age=31536000; includeSubDomains; preload\"."
},
"missing_referrer_policy_header": {
"issue": "Missing Referrer-Policy header",
"severity": "Medium",
"cwe_id": "CWE-200",
"cwe_description": "Exposure of sensitive URLs or information to third-party sites.",
"fix": "Set a secure referrer policy such as: \"Referrer-Policy: no-referrer\"."
},
"missing_x_content_type_options_header": {
"issue": "Missing X-Content-Type-Options header",
"severity": "Medium",
"cwe_id": "CWE-16",
"cwe_description": "Improperly configured security headers allow MIME-type confusion attacks.",
"fix": "Add the header: \"X-Content-Type-Options: nosniff\"."
},
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://xelfin.in/robots.txt",
"https://xelfin.in/sitemap.xml"
],
"robots_txt_file_found": null,
"waf_detection": null,
"ssl_certificate": null,
"loose_cookie_domain": null,
"csp_header_analysis": null,
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": null,
"email_extraction": null,
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": null,
"enabled_debug_method": "No",
"enabled_options_method": "No",
"cross_domain_inclusion": [
"xelfin.in",
"img1.wsimg.com",
"gmpg.org",
"themedemo.commercegurus.com"
],
"file_upload": null,
"client_access_policies": [],
"x_frame_options": "Missing X-Frame-Options",
"x_xss_protection": "Missing x-xss-protection header",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": null,
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure"
],
"executive_summary": {
"Severity": "Critical",
"Total Checks Passed": 15,
"Passed Cases": [
"Open Ports Scan",
"Secure Connection",
"Directory Listing Exposed",
"SSL Certificate",
"Loose cookie domain",
"Content Security Policy Misconfiguration",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Rate Limit Headers",
"Emails exposed",
"File Upload Detection",
".htaccess Exposure",
"Host Header Injection"
],
"Total Checks Failed": 21,
"Failed Cases": [
"Server Disclosure",
"Technology Disclosure",
"Mixed Content (HTTP on HTTPS)",
"Javascript Libraries",
"Passwords submitted unencrypted",
"Missing Security Headers",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"WAF Detection",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION"
],
"Total CVEs Found": 96,
"Critical": 1,
"High": 33,
"Medium": 62,
"Low": 0,
"Total CWEs Found": 6
},
"total_scan_time": "2 minutes, 40.82 seconds",
"scan_start_timestamp": "2026-01-17 11:27:33"
}
Other Security Tools
Explore our comprehensive suite of security testing tools