Website Vulnerability Scanner Report

 https://vibemmi.com.br/Paginas/SystemLogin.aspx?
ReturnUrl=%2f&AspxAutoDetectCookieSupport=1
Target added due to a redirect from https://vibemmi.com.br/

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:

Low High: 0 Start time: Jun 28, 2024 / 15:37:05
Medium: 0 Finish time: Jun 28, 2024 / 15:37:37
Low: 2 Scan duration: 32 sec

Info: 17 Tests performed: 19/19

Scan status: Finished

Findings

 Unsafe security header: Content-Security-Policy CONFIRMED

URL Evidence

Response headers include the HTTP Content-Security-Policy security header with the
following security issues:
default-src: The default-src directive should be set as a fall-back when other
restrictions have not been specified.
script-src: script-src directive is missing.
base-uri: Missing base-uri allows the injection of base tags. They can be used to
https://vibemmi.com.br/Paginas/SystemLogin.aspx
set the base URL for all relative (script) URLs to an attacker controlled domain.
We recommend setting it to 'none' or 'self'.
object-src: We recommend restricting object-src to 'none' only.
object-src: We recommend restricting object-src to 'none' only.
object-src: We recommend restricting object-src to 'none' only.
Request / Response

 Details

Risk description:
For example, if the unsafe-inline directive is present in the CSP header, the execution of inline scripts and event handlers is allowed. This
can be exploited by an attacker to execute arbitrary JavaScript code in the context of the vulnerable application.

Recommendation:
Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly
define the sources from which scripts, styles, images or other resources can be loaded.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

1/4
 Software / Version Category

Windows Server Operating systems

jQuery 3.7.1 JavaScript libraries

Sectigo SSL/TLS certificate authorities

Microsoft ASP.NET 4.0.30319 Web frameworks

IIS 10.0 Web servers

HSTS Security

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

URL

Missing: https://vibemmi.com.br/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 HTTP OPTIONS enabled CONFIRMED

URL Method Summary

We did a HTTP OPTIONS request.

https://vibemmi.com.br/Paginas/SystemLogin.aspx?
OPTIONS The server responded with a 200 status code and the header: Allow:
AspxAutoDetectCookieSupport=1&ReturnUrl=/
OPTIONS, TRACE, GET, HEAD, POST
Request / Response

 Details

2/4
 Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.

Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.

References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/

Classification:
CWE : CWE-16
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Website is accessible.

 Nothing was found for vulnerabilities of server-side software.

 Nothing was found for client access policies.

 Nothing was found for robots.txt file.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for secure communication.

 Nothing was found for directory listing.

 Nothing was found for missing HTTP header - Strict-Transport-Security.

 Nothing was found for missing HTTP header - Content Security Policy.

 Nothing was found for missing HTTP header - X-Content-Type-Options.

 Nothing was found for missing HTTP header - Referrer.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for HttpOnly flag of cookie.

3/4
 Nothing was found for Secure flag of cookie.

Scan coverage information

List of tests performed (19/19)

 Starting the scan...
 Checking for unsafe HTTP header Content Security Policy...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for enabled HTTP OPTIONS method...
 Checking for secure communication...
 Checking for directory listing...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Content Security Policy...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - Referrer...
 Checking for domain too loose set for cookies...
 Checking for HttpOnly flag of cookie...
 Checking for Secure flag of cookie...

Scan parameters
Target: https://vibemmi.com.br/Paginas/SystemLogin.aspx?ReturnUrl=%2f&AspxAutoDetectCookieSupport=1
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points Detected: 3
URLs spidered: 7
Total number of HTTP requests: 16
Average time until a response was
291ms
received:

4/4