Website Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See what the DEEP scanner can do

Perform in-depth website scanning and discover high risk vulnerabilities.

Testing areas Light scan Deep scan

Website fingerprinting  
Version-based vulnerability detection  

Common configuration issues  

SQL injection  
Cross-Site Scripting  

Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://finstratmgmt.com/
Target added due to a redirect from https://finstratmgmt.com

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:

Low Critical: 0 Start time: Jun 28, 2025 / 08:43:00 UTC+03
High: 0 Finish time: Jun 28, 2025 / 08:44:07 UTC+03
Medium: 0 Scan duration: 1 min, 7 sec

Low: 7 Tests performed: 40/40

Info: 33 Scan status: Finished

Findings

 Missing security header: Content-Security-Policy CONFIRMED

port 443/tcp

URL Evidence

Response does not include the HTTP Content-Security-Policy security header or meta tag
https://finstratmgmt.com/
Request / Response

 Details

Risk description:
The risk is that if the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

1/8
 Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the
application.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CISA KEV : False
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: X-Content-Type-Options CONFIRMED

port 443/tcp

URL Evidence

Response headers do not include the X-Content-Type-Options HTTP security header

https://finstratmgmt.com/
Request / Response

 Details

Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CISA KEV : False
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Strict-Transport-Security CONFIRMED

port 443/tcp

URL Evidence

Response headers do not include the HTTP Strict-Transport-Security header

https://finstratmgmt.com/
Request / Response

 Details

Risk description:
The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus
opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

Classification:
CISA KEV : False
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Referrer-Policy CONFIRMED

2/8
 port 443/tcp

URL Evidence

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name
https://finstratmgmt.com/ 'referrer' is not present in the response.
Request / Response

 Details

Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.

References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Classification:
CISA KEV : False
CWE : CWE-693
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Robots.txt file found CONFIRMED

port 443/tcp

URL

https://finstratmgmt.com/robots.txt

 Details

Risk description:
There is no particular security risk in having a robots.txt file. However, it's important to note that adding endpoints in it should not be
considered a security measure, as this file can be directly accessed and read by anyone.

Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website
(ex. administration panels, configuration files, etc).

References:
https://www.theregister.co.uk/2015/05/19/robotstxt/

Classification:
CISA KEV : False
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Exposure of Sensitive Information UNCONFIRMED 

port 443/tcp

URL Method Parameters Evidence

Credit Card Number:

Headers:
3547241976621049
https://finstratmgmt.com/ GET User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Request / Response

 Details

Risk description:
The risk exists that sensitive personal information within the application could be accessed by unauthorized parties. This could lead to
privacy violations, identity theft, or other forms of personal or corporate harm.

3/8
 Recommendation:
Compartmentalize the application to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to
go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Classification:
CISA KEV : False

 Server software and technology found UNCONFIRMED 

port 443/tcp

Software / Version Category

Clipboard.js JavaScript libraries

Magnific Popup 2.1.4 JavaScript libraries

FitVids.JS 4.27.4 Widgets, Video players

jQuery Migrate 3.4.1 JavaScript libraries

Google Analytics Analytics

Google Font API Font scripts

HTTP/3 Miscellaneous

jQuery 3.7.1 JavaScript libraries

Slick JavaScript libraries

MySQL Databases

Open Graph Miscellaneous

PHP Programming languages

Site Kit 1.154.0 Analytics, WordPress plugins

Priority Hints Performance

WordPress CMS, Blogs

WP Engine PaaS, Hosting

Cloudflare CDN

Divi 4.27.4 Page builders, WordPress themes, WordPress plugins

Google Tag Manager Tag managers

HubSpot Marketing automation

Lodash 1.13.7 JavaScript libraries

RSS Miscellaneous

Wordfence Login Security 1.1.15 WordPress plugins, Security

Yoast SEO 25.3 SEO, WordPress plugins

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-

4/8
 Fingerprint_Web_Server.html

Classification:
CISA KEV : False
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

port 443/tcp

URL

Missing: https://finstratmgmt.com/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
CISA KEV : False
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Email Address Exposure UNCONFIRMED 

port 443/tcp

URL Method Parameters Evidence

Email Address:
Headers: [email protected]
https://finstratmgmt.com/ GET User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 m
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Request / Response

 Details

Risk description:
The risk is that exposed email addresses within the application could be accessed by unauthorized parties. This could lead to privacy
violations, spam, phishing attacks, or other forms of misuse.

Recommendation:
Compartmentalize the application to have 'safe' areas where trust boundaries can be unambiguously drawn. Do not allow email addresses
to go outside of the trust boundary, and always be careful when interfacing with a compartment outside of the safe area.

References:
https://owasp.org/Top10/A04_2021-Insecure_Design/

Classification:
CISA KEV : False
CVE : -1
CWE : CWE-200
OWASP Top 10 - 2017 : A6: Security Misconfiguration
OWASP Top 10 - 2021 : A4: Insecure Design

 Website is accessible.

 Nothing was found for vulnerabilities of server-side software.

5/8
 Nothing was found for client access policies.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for enabled HTTP OPTIONS method.

 Nothing was found for secure communication.

 Nothing was found for directory listing.

 Nothing was found for passwords submitted unencrypted.

 Nothing was found for error messages.

 Nothing was found for debug messages.

 Nothing was found for code comments.

 Nothing was found for missing HTTP header - Feature.

 Nothing was found for passwords submitted in URLs.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for mixed content between HTTP and HTTPS.

 Nothing was found for cross domain file inclusion.

 Nothing was found for internal error code.

 Nothing was found for HttpOnly flag of cookie.

 Nothing was found for Secure flag of cookie.

 Nothing was found for login interfaces.

6/8
 Nothing was found for secure password submission.

 Nothing was found for unsafe HTTP header Content Security Policy.

 Nothing was found for OpenAPI files.

 Nothing was found for file upload.

 Nothing was found for SQL statement in request parameter.

 Nothing was found for password returned in later response.

 Nothing was found for Path Disclosure.

 Nothing was found for Session Token in URL.

 Nothing was found for API endpoints.

 Nothing was found for missing HTTP header - Rate Limit.

Scan coverage information

List of tests performed (40/40)

 Test initial connection
 Scanned for missing HTTP header - Content Security Policy
 Scanned for sensitive data
 Scanned for missing HTTP header - X-Content-Type-Options
 Scanned for missing HTTP header - Strict-Transport-Security
 Scanned for missing HTTP header - Referrer
 Scanned for emails
 Scanned for website technologies
 Scanned for version-based vulnerabilities of server-side software
 Scanned for client access policies
 Scanned for robots.txt file
 Scanned for absence of the security.txt file
 Scanned for use of untrusted certificates
 Scanned for enabled HTTP debug methods
 Scanned for enabled HTTP OPTIONS method
 Scanned for secure communication
 Scanned for directory listing
 Scanned for passwords submitted unencrypted
 Scanned for error messages
 Scanned for debug messages
 Scanned for code comments
 Scanned for missing HTTP header - Feature
 Scanned for passwords submitted in URLs
 Scanned for domain too loose set for cookies
 Scanned for mixed content between HTTP and HTTPS
 Scanned for cross domain file inclusion
 Scanned for internal error code
 Scanned for HttpOnly flag of cookie
 Scanned for Secure flag of cookie
 Scanned for login interfaces

7/8
  Scanned for secure password submission
 Scanned for unsafe HTTP header Content Security Policy
 Scanned for OpenAPI files
 Scanned for file upload
 Scanned for SQL statement in request parameter
 Scanned for password returned in later response
 Scanned for Path Disclosure
 Scanned for Session Token in URL
 Scanned for API endpoints
 Scanned for missing HTTP header - Rate Limit

Scan parameters
target: https://finstratmgmt.com/
scan_type: Light
authentication: False

Scan stats
Unique Injection Points Detected: 155
URLs spidered: 2
Total number of HTTP requests: 11
Average time until a response was
271ms
received:

8/8