Website Vulnerability Scanner Report
https://petstore.octoperf.com/actions/Catalog.action
The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.
Summary
Overall risk level: Risk ratings: Scan information:
Medium Critical: 0 May 07, 2025 / 00:17:23
Start time:
High: 0 UTC+0530
May 07, 2025 / 00:36:04
Medium: 1 Finish time:
UTC+0530
Low: 7 Scan duration: 18 min, 41 sec
Info: 42 Tests
50/50
performed:
Scan status: Finished
Findings
Insecure cookie setting: missing Secure flag CONFIRMED
port 443/tcp
URL Cookie Name Evidence
Set-Cookie: JSESSIONID=19AA07F4DA5909858689C6C5C05B1F12
https://petstore.octoperf.com/actions/Catalog.action JSESSIONID
Request / Response
Details
Risk description:
The risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie
of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.
Recommendation:
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel.
Ensure that the secure flag is set for cookies containing such sensitive information.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-
Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Classification:
CWE : CWE-614
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: Referrer-Policy CONFIRMED
port 443/tcp
URL Evidence
Response headers do not include the Referrer-Policy HTTP security header as well as the
https://petstore.octoperf.com/actions/Catalog.action <meta> tag with name 'referrer' is not present in the response.
Request / Response
1 / 11
� Details
Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.
Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.
References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: Content-Security-Policy CONFIRMED
port 443/tcp
URL Evidence
Response does not include the HTTP Content-Security-Policy security header or meta tag
https://petstore.octoperf.com/actions/Catalog.action
Request / Response
Details
Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.
Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.
References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Missing security header: X-Content-Type-Options CONFIRMED
port 443/tcp
URL Evidence
Response headers do not include the X-Content-Type-Options HTTP security header
https://petstore.octoperf.com/actions/Catalog.action
Request / Response
Details
Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.
Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Classification:
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
2 / 11
� Internal Server Error Found CONFIRMED
port 443/tcp
URL Method Parameters Evidence
Headers:
User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) Response has an
AppleWebKit/537.36 (KHTML, like Gecko) internal server error
https://petstore.octoperf.com/actions/Cart.action GET
Chrome/108.0.0.0 Safari/537.36 status code: 500
Cookies: Request / Response
JSESSIONID=3A9348608505BC94E5204D8723ADF37E
Details
Risk description:
The risk exists that attackers could utilize information revealed in Internal Server Error messages to mount more targeted and effective
attacks. Detailed error messages could, for example, expose a path traversal weakness (CWE-22) or other exploitable system
vulnerabilities.
Recommendation:
Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to
strike the balance between being too cryptic and not being cryptic enough. They should not necessarily reveal the methods that were used
to determine the error. Such detailed information can be used to refine the original attack to increase the chances of success. If errors
must be tracked in some detail, capture them in log messages - but consider what could occur if the log messages can be viewed by
attackers. Avoid recording highly sensitive information such as passwords in any form. Avoid inconsistent messaging that might
accidentally tip off an attacker about internal state, such as whether a username is valid or not.
Classification:
CWE : CWE-209
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Screenshot:
Figure 1. Internal Error
Robots.txt file found CONFIRMED
port 443/tcp
URL
https://petstore.octoperf.com/robots.txt
Details
Risk description:
There is no particular security risk in having a robots.txt file. However, it's important to note that adding endpoints in it should not be
considered a security measure, as this file can be directly accessed and read by anyone.
Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website
(ex. administration panels, configuration files, etc).
3 / 11
� References:
https://www.theregister.co.uk/2015/05/19/robotstxt/
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Screenshot:
Figure 2. robots.txt
Server software and technology found UNCONFIRMED
port 443/tcp
Software / Version Category
tomcat Miscellaneous
Java Programming languages
HSTS Security
JSP Web frameworks
Details
Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Screenshot:
4 / 11
� Figure 3. Website Screenshot
Enumerable Parameter UNCONFIRMED
port 443/tcp
URL Method Vulnerable Parameter Evidence
The workingItemId query parameter appears to
contain an enumerable numeric part. We modified its
workingItemId initial value EST-16 to EST-15 and the two responses
https://petstore.octoperf.com/actions/Cart.action GET
(Query Parameter) were 93% similar. The parameter may introduce an
Insecure Direct Object Reference (IDOR) vulnerability.
Request / Response
The itemId query parameter appears to contain an
enumerable numeric part. We modified its initial value
itemId EST-16 to EST-15 and the two responses were 91%
https://petstore.octoperf.com/actions/Catalog.action GET
(Query Parameter) similar. The parameter may introduce an Insecure
Direct Object Reference (IDOR) vulnerability.
Request / Response
The productId query parameter appears to contain an
enumerable numeric part. We modified its initial value
productId FL-DLH-02 to FL-DLH-1 and the two responses were
https://petstore.octoperf.com/actions/Catalog.action GET
(Query Parameter) 79% similar. The parameter may introduce an Insecure
Direct Object Reference (IDOR) vulnerability.
Request / Response
Details
Risk description:
The vulnerability allows attackers to brute-force parameter values to uncover and access unauthorized resources and functionalities.
Recommendation:
Ensure that parameter values would not reveal sensitive information and that the application properly checks the user's authorization to
access the resource. Also, the resource IDs should not be predictable.
References:
Testing for Insecure Direct Object References
Classification:
CWE : CWE-284
OWASP Top 10 - 2017 : A5 - Broken Access Control
OWASP Top 10 - 2021 : A1 - Broken Access Control
Login Interface Found CONFIRMED
port 443/tcp
URL Evidence
5 / 11
� <input id="stripes--1745006809" name="username" type="text"/>
<input name="password" type="password" value="j2ee"/>
<input name="signon" type="submit" value="Login"/>
https://petstore.octoperf.com/actions/Account.action
Request / Response
Details
Risk description:
The risk is that an attacker could use this interface to mount brute force attacks against known passwords and usernames combinations
leaked throughout the web.
Recommendation:
Ensure each interface is not bypassable using common knowledge of the application or leaked credentials using occasional password
audits.
References:
https://pentest-tools.com/network-vulnerability-scanning/password-auditor
http://capec.mitre.org/data/definitions/16.html
Screenshot:
Figure 4. Login Interface
Security.txt file is missing CONFIRMED
port 443/tcp
URL
Missing: https://petstore.octoperf.com/.well-known/security.txt
Details
Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.
Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.
References:
https://securitytxt.org/
Classification:
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
6 / 11
� HTTP OPTIONS enabled CONFIRMED
port 443/tcp
URL Method Summary
We did a HTTP OPTIONS request.
https://petstore.octoperf.com/actions/Catalog.action OPTIONS The server responded with a 200 status code and the header: Allow: GET,
HEAD, POST, OPTIONS
Request / Response
Details
Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.
Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.
References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/
Classification:
CWE : CWE-16
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration
Spider results
Page Status
URL Method Parameters Page Title
Size Code
HTTP
754
https://petstore.octoperf.com/actions GET Status 404 404
B
– Not Found
HTTP
759
https://petstore.octoperf.com/actions/ GET Status 404 404
B
– Not Found
JPetStore 3.79
https://petstore.octoperf.com/actions/Account.action GET 200
Demo KB
Body:
__fp=Il60dTfRXNx6ANQeKbZiquPFIi6rjfAfpX1aik
YrMdDB8uKhyYMnPXwB8LXTTaj0
_sourcePage=Ckptv8H3zEDu9AbXYtczYDiI7Y9
BtuCKfPgcpT7fw740hgsQ6tF_uy-ccoRN- JPetStore 3.87
https://petstore.octoperf.com/actions/Account.action POST 200
EXR_t6I5UUVIWoBw2IgMXSHd_flWO_hR03kGd Demo KB
HinH6Rsv8=
password=j2ee
signon=Login
username=1d3d2d231d2dd4
Query: JPetStore 5.71
https://petstore.octoperf.com/actions/Account.action GET 200
newAccountForm= Demo KB
Query: JPetStore 3.77
https://petstore.octoperf.com/actions/Account.action GET 200
signonForm= Demo KB
HTTP
Status 500 2.13
https://petstore.octoperf.com/actions/Cart.action GET 500
– Internal KB
Server Error
7 / 11
� Body:
__fp=jNxsEgTT-gpsYm2vUTI3loA1Kz_OVwBJz-
_-DKNy2-0mE-XpAprf7nmh__EkrJXU
JPetStore 3.93
https://petstore.octoperf.com/actions/Cart.action POST _sourcePage=gs3yV4VEzZvSNt1zEFZbTQNc5x 200
Demo KB
nvuVJNiS2lv1YXGqCfwo97mnLvquQDCDh9VIR
RLZKleOIT5ICT2FIXYM02AvqU_4LkiAjL
updateCartQuantities=Update Cart
Query:
JPetStore 7.18
https://petstore.octoperf.com/actions/Cart.action GET addItemToCart= 200
Demo KB
workingItemId=EST-26
Query: JPetStore 3.91
https://petstore.octoperf.com/actions/Cart.action GET 200
viewCart= Demo KB
JPetStore 5.23
https://petstore.octoperf.com/actions/Catalog.action GET 200
Demo KB
Body:
__fp=b43_YoledF-
Ze14y93sLR27vW85EturAztYj8le-
sSw_LV_Lk0oNCupu2YWjRSs7
_sourcePage=5yEcSBvVWeSqvgh1A7meJ6XN4 JPetStore 3.14
https://petstore.octoperf.com/actions/Catalog.action POST 200
h31GPw8Z_kbN2oZCTsW4x4ros8FjMjGqctT5pz Demo KB
7X8_6zSL7QYVpJ3dra3xvVLEQUR0KUocN815P
MwLpQx0=
keyword=1d3d2d231d2dd4
searchProducts=Search
Query:
JPetStore 3.6
https://petstore.octoperf.com/actions/Catalog.action GET categoryId=FISH 200
Demo KB
viewCategory=
Query:
JPetStore 3.5
https://petstore.octoperf.com/actions/Catalog.action GET itemId=EST-26 200
Demo KB
viewItem=
Query:
JPetStore 3.8
https://petstore.octoperf.com/actions/Catalog.action GET productId=FI-SW-01 200
Demo KB
viewProduct=
Details
Risk description:
The table contains all the unique pages the scanner found. The duplicated URLs are not available here as scanning those is considered
unnecessary
Recommendation:
We recommend to advanced users to make sure the scan properly detected most of the URLs in the application.
References:
All the URLs the scanner found, including duplicates (available for 90 days after the scan date)
Website is accessible.
Nothing was found for vulnerabilities of server-side software.
Nothing was found for client access policies.
Nothing was found for outdated JavaScript libraries.
Nothing was found for use of untrusted certificates.
8 / 11
� Nothing was found for enabled HTTP debug methods.
Nothing was found for administration consoles.
Nothing was found for information disclosure.
Nothing was found for software identification.
Nothing was found for sensitive files.
Nothing was found for interesting files.
Nothing was found for secure communication.
Nothing was found for directory listing.
Nothing was found for passwords submitted unencrypted.
Nothing was found for error messages.
Nothing was found for debug messages.
Nothing was found for code comments.
Nothing was found for missing HTTP header - Strict-Transport-Security.
Nothing was found for missing HTTP header - Feature.
Nothing was found for passwords submitted in URLs.
Nothing was found for domain too loose set for cookies.
Nothing was found for mixed content between HTTP and HTTPS.
Nothing was found for cross domain file inclusion.
Nothing was found for HttpOnly flag of cookie.
9 / 11
� Nothing was found for secure password submission.
Nothing was found for sensitive data.
Nothing was found for Server Side Request Forgery.
Nothing was found for Open Redirect.
Nothing was found for Exposed Backup Files.
Nothing was found for unsafe HTTP header Content Security Policy.
Nothing was found for OpenAPI files.
Nothing was found for file upload.
Nothing was found for SQL statement in request parameter.
Nothing was found for password returned in later response.
Nothing was found for Path Disclosure.
Nothing was found for Session Token in URL.
Nothing was found for API endpoints.
Nothing was found for emails.
Scan coverage information
List of tests performed (50/50)
Starting the scan...
Checking for missing HTTP header - Referrer...
Checking for missing HTTP header - Content Security Policy...
Checking for Secure flag of cookie...
Checking for missing HTTP header - X-Content-Type-Options...
Spidering target...
Checking for login interfaces...
Checking for internal error code...
Checking for website technologies...
Checking for vulnerabilities of server-side software...
Checking for client access policies...
Checking for robots.txt file...
Checking for absence of the security.txt file...
Checking for outdated JavaScript libraries...
10 / 11
� Checking for use of untrusted certificates...
Checking for enabled HTTP debug methods...
Checking for administration consoles...
Checking for information disclosure... (this might take a few hours)
Checking for software identification...
Checking for sensitive files...
Checking for interesting files... (this might take a few hours)
Checking for Insecure Direct Object Reference...
Checking for enabled HTTP OPTIONS method...
Checking for secure communication...
Checking for directory listing...
Checking for passwords submitted unencrypted...
Checking for error messages...
Checking for debug messages...
Checking for code comments...
Checking for missing HTTP header - Strict-Transport-Security...
Checking for missing HTTP header - Feature...
Checking for passwords submitted in URLs...
Checking for domain too loose set for cookies...
Checking for mixed content between HTTP and HTTPS...
Checking for cross domain file inclusion...
Checking for HttpOnly flag of cookie...
Checking for secure password submission...
Checking for sensitive data...
Checking for Server Side Request Forgery...
Checking for Open Redirect...
Checking for Exposed Backup Files...
Checking for unsafe HTTP header Content Security Policy...
Checking for OpenAPI files...
Checking for file upload...
Checking for SQL statement in request parameter...
Checking for password returned in later response...
Checking for Path Disclosure...
Checking for Session Token in URL...
Checking for API endpoints...
Checking for emails...
Scan parameters
target: https://petstore.octoperf.com/actions/Catalog.action
scan_type: Light
authentication: False
Scan stats
Unique Injection Points Detected: 116
URLs spidered: 61
Total number of HTTP requests: 16527
Average time until a response was
3ms
received:
Total number of HTTP request errors: 270
11 / 11
