Website Vulnerability Scanner Report (Light)
Unlock the full capabilities of this scanner
See what the DEEP scanner can do
Perform in-depth website scanning and discover high risk vulnerabilities.
Testing areas Light scan Deep scan
Website fingerprinting
Version-based vulnerability detection
Common configuration issues
SQL injection
Cross-Site Scripting
Local/Remote File Inclusion
Remote command execution
Discovery of sensitive files
https://www.iki-india.com/public/index.php
The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.
Summary
Overall risk level: Risk ratings: Scan information:
High High: 1 Start time: Jan 06, 2025 / 21:32:48 UTC+02
Medium: 2 Finish time: Jan 06, 2025 / 21:33:35 UTC+02
Low: 5 Scan duration: 47 sec
Info: 11 Tests performed: 19/19
Scan status: Finished
Findings
Vulnerabilities found for server-side software UNCONFIRMED
Risk Affected
CVSS CVE Summary
Level software
1/8
� Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55
allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of
RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
http_server
9.8 CVE-2023-25690
2.4.41
RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server,
proxying unintended URLs to existing origin servers, and cache poisoning. Users are
recommended to update to at least version 2.4.56 of Apache HTTP Server.
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier
allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source
disclosure of scripts meant to only to be executed as CGI.
http_server
9.8 CVE-2024-38474
2.4.41
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag
"UnsafeAllow3F" is specified.
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to
information disclosure, SSRF or local script execution via backend applications whose
http_server
9.8 CVE-2024-38476 response headers are malicious or exploitable.
2.4.41
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in
mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the http_server
9 CVE-2022-36760
AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP 2.4.41
Server 2.4 version 2.4.54 and prior versions.
http_server
7.5 CVE-2020-11984 Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
2.4.41
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-
jquery
4.3 CVE-2015-9251 domain Ajax request is performed without the dataType option, causing text/javascript
2.1.4
responses to be executed.
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source jquery
4.3 CVE-2019-11358
object contained an enumerable __proto__ property, it could extend the native 2.1.4
Object.prototype.
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML
containing <option> elements from untrusted sources - even after sanitizing it - to one of jquery
4.3 CVE-2020-11023
jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute 2.1.4
untrusted code. This problem is patched in jQuery 3.5.0.
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from
untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation jquery
4.3 CVE-2020-11022
methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is 2.1.4
patched in jQuery 3.5.0.
Details
Risk description:
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.
2/8
� Recommendation:
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest
version.
Classification:
CWE : CWE-1026
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2021 : A6 - Vulnerable and Outdated Components
Insecure cookie setting: missing Secure flag CONFIRMED
URL Cookie Name Evidence
Set-Cookie:
laravel_session=eyJpdiI6IlZKUGlvaFVmVzdibjNFV3lWSVp6NEE9PSIsInZhbHVlIjoiUzBobExjQUl
QdHpNOVV2OUlHcWtVUWVuTERoaUpsdGxYbVVtN2ZlcW4zSUdpd2tYTjFxOU45ZW1XTDYxdD
https://www.iki-
laravel_session NuMiIsIm1hYyI6ImIwNWYyMjIyNGI2ZTk1N2ZiNTc1ODdhYjM2NWNlYzM4MjQwMGY4MmY2OT
india.com/public/index.php
YwZGY3ZDVkOWY5ZTZmY2JjODJjODcifQ%3D%3D
Request / Response
Details
Risk description:
The risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.
Recommendation:
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
Ensure that the secure flag is set for cookies containing such sensitive information.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-
Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Classification:
CWE : CWE-614
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Directory listing is enabled CONFIRMED
URL Evidence
Found output resembling directory listing.
https://www.iki-india.com/public/fonts/flaticon/
Request / Response
Details
Risk description:
The risk is that it's often the case that sensitive files are "hidden" among public files in that location and attackers can use this vulnerability
to access them.
Recommendation:
We recommend reconfiguring the web server in order to deny directory listing. Furthermore, you should verify that there are no sensitive
files at the mentioned URLs.
References:
http://projects.webappsec.org/w/page/13246922/Directory%20Indexing
Classification:
CWE : CWE-548
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A1 - Broken Access Control
Screenshot:
3/8
� Figure 1. Directory Listing
Missing security header: Strict-Transport-Security CONFIRMED
URL Evidence
Response headers do not include the HTTP Strict-Transport-Security header
https://www.iki-india.com/public/index.php
Request / Response
Details
Risk description:
The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus
opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).
Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:
Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]
The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: X-Content-Type-Options CONFIRMED
URL Evidence
Response headers do not include the X-Content-Type-Options HTTP security header
https://www.iki-india.com/public/index.php
Request / Response
Details
Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.
Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
4/8
� OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: Referrer-Policy CONFIRMED
URL Evidence
Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with
https://www.iki-
name 'referrer' is not present in the response.
india.com/public/index.php
Request / Response
Details
Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.
Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.
References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: Content-Security-Policy CONFIRMED
URL Evidence
Response does not include the HTTP Content-Security-Policy security header or meta tag
https://www.iki-india.com/public/index.php
Request / Response
Details
Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.
Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.
References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Server software and technology found UNCONFIRMED
Software / Version Category
cdnjs CDN
jQuery CDN CDN
Magnific Popup JavaScript libraries
Font Awesome 4.7.0 Font scripts
Bootstrap 5.0.0 UI frameworks
5/8
� Google Font API Font scripts
Apache HTTP Server 2.4.41 Web servers
Bootstrap Icons 1.4.1 Font scripts
jQuery 2.1.4 JavaScript libraries
Laravel Web frameworks
Stellar.js JavaScript libraries
Modernizr 2.6.2 JavaScript libraries
Open Graph Miscellaneous
OWL Carousel JavaScript libraries
PHP Programming languages
Cloudflare CDN
jsDelivr CDN
Ubuntu Operating systems
Details
Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Security.txt file is missing CONFIRMED
URL
Missing: https://www.iki-india.com/.well-known/security.txt
Details
Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.
Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.
References:
https://securitytxt.org/
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
HTTP OPTIONS enabled CONFIRMED
6/8
� URL Method Summary
We did a HTTP OPTIONS request.
https://www.iki-india.com/public/index.php OPTIONS
The server responded with a 200 status code and the header: Allow: GET,HEAD
Request / Response
Details
Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.
Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.
References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/
Classification:
CWE : CWE-16
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Website is accessible.
Nothing was found for client access policies.
Nothing was found for robots.txt file.
Nothing was found for use of untrusted certificates.
Nothing was found for enabled HTTP debug methods.
Nothing was found for secure communication.
Nothing was found for domain too loose set for cookies.
Nothing was found for HttpOnly flag of cookie.
Nothing was found for unsafe HTTP header Content Security Policy.
Scan coverage information
List of tests performed (19/19)
Starting the scan...
Checking for missing HTTP header - Strict-Transport-Security...
Checking for missing HTTP header - X-Content-Type-Options...
Checking for Secure flag of cookie...
Checking for missing HTTP header - Referrer...
7/8
� Checking for missing HTTP header - Content Security Policy...
Checking for website technologies...
Checking for directory listing...
Checking for vulnerabilities of server-side software...
Checking for client access policies...
Checking for robots.txt file...
Checking for absence of the security.txt file...
Checking for use of untrusted certificates...
Checking for enabled HTTP debug methods...
Checking for enabled HTTP OPTIONS method...
Checking for secure communication...
Checking for domain too loose set for cookies...
Checking for HttpOnly flag of cookie...
Checking for unsafe HTTP header Content Security Policy...
Scan parameters
target: https://www.iki-india.com/public/index.php
scan_type: Light
authentication: False
Scan stats
Unique Injection Points Detected: 54
URLs spidered: 3
Total number of HTTP requests: 13
Average time until a response was
598ms
received:
8/8
