School of Computer Science and Engineering

BCSE322P Digital Forensics Laboratory

Exercise No: 3
Vulnerability Analysis

Register Number 22BCI0134

Name Gayatri Goverdhan

Submission Deadline 28 August 2025

WINTER SEMESTER 2024-25

Lab Slot: L51+L52
Venue: SJT 517
 Exercise No: 3 Vulnerability Analysis

Problem Statement
1. Utilize the given weblink, https://observatory.mozilla.org/analyze/securitytrails.com
a. Prepare the HTTP Observatory Report.
b. Summarize your observation and interpretation in detail.
2. By utilizing the given weblink, https://securityheaders.com
a. Utilize the below given demo websites and analyze the various vulnerabilities.
e. Summarize your observation and interpretation in detail.
3. Demo Websites
a. http://testphp.vulnweb.com/
b. http://demo.testfire.net/
4. Find out 3 new demo websites for vulnerability analysis and prepare the respective
reports accordingly.

Question 1:
https://observatory.mozilla.org/analyze/securitytrails.com
Aim:
To evaluate the security posture of websites by analyzing their HTTP response headers
and overall configuration.

Procedure:
1. Open the Mozilla Observatory Tool and enter the Target Website:
securitytrails.com. and Click on the "Scan Me" button.
2. Check the Scan Summary and look at the overall grade and score.
3. View Detailed Results and scroll down to the Scoring Table.
4. Click on Each Test for More Info and check the “HTTP Response Headers” Tab
and “Raw Results” Tab
5. Prepare Your Report
(a) HTTP Observatory Report:
• Overall Grade: C (since last scan)
• Score: 55 / 100
• Scan Time: ~3 hours ago
• Tests Passed: 8 / 10
1. Scan Summary
Score
Test Result Observation Recommendation
Impact
Implement CSP.
CSP header not Example: Content-
Content
implemented Security-Policy:
Security Failed −25
vulnerable to default-src 'self'; script-
Policy (CSP)
XSS/injection. src 'self'; style-src
'self';.
None required unless
Cookies – Neutral No cookies detected.
cookies are used.
Cross-Origin
Resource No unsafe CORS
Passed 0 None.
Sharing configuration.
(CORS)
Does not enforce HTTP Add strict 301 redirect
Redirection Failed −20
→ HTTPS redirect. from HTTP to HTTPS.
Referrer Secure setting (same-
Passed 0 None.
Policy origin).
Strict
Enabled with preload + Increase to 1 year
Transport Partially
0 includeSubDomains, (31536000s) for
Security Passed
but only 180 days. preload approval.
(HSTS)
Subresource
Not No SRI used for Add SRI to <script>
Integrity Neutral
Implemented external scripts. and <link> tags.
(SRI)
X-Content-
Passed 0 Set to nosniff. None.
Type-Options
X-Frame- Configured as Consider using frame-
Passed 0
Options SAMEORIGIN. ancestors in CSP.
Cross-Origin
Resource Implemented (same-
Passed 0 None.
Policy origin).
(CORP)

Observation:
1. There is no Content Security Policy (CSP) header in place on the server, and hence
the site remains vulnerable to cross-site scripting and script injection attacks. The
site does not have HTTP-to-HTTPS redirection enabled, so users can continue to
 access it over insecure HTTP, which puts them at risk of downgrade or man-in-the-
middle attacks.
2. The Strict Transport Security (HSTS) header exists with preload and subdomains
enabled, but the maximum age is limited to just 180 days, which is below the
suggested one year needed for complete preload approval.
3. X-Frame-Options is set to SAMEORIGIN in the server, which blocks clickjacking
attacks. The X-Content-Type-Options header is disabled to nosniff, which blocks
MIME type sniffing attacks.
4. Referrer-Policy is configured to same-origin, which disallows full URL leakage to
third-party sites. The site uses contemporary cross-origin isolation headers (COOP,
COEP, CORP), which offer robust data leak protection against cross-origin data
leaks.
5. A Permissions-Policy header is set to disallow powerful APIs such as camera,
microphone, geolocation, and others, enhancing user privacy and preventing abuse.
Interpretation:
1. The site has implemented several strong security headers such as Referrer-Policy,
X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and cross-origin
protection headers, which indicates a good level of awareness of modern web
security practices.
2. Despite these protections, the lack of a CSP is a critical weakness, because it leaves
the site vulnerable to script-based attacks like XSS.
3. The absence of a mandatory HTTPS redirection weakens the overall security
posture, as attackers can potentially intercept or downgrade traffic before it reaches
the secure connection.
4. The HSTS setting shows that the site enforces HTTPS for subdomains and has
preload enabled, but the duration is too short to meet industry standards, meaning
the protection is not fully effective.
5. While the website has good cross-origin protections in place, its score is reduced
because the missing CSP and lack of strict HTTPS handling are considered
fundamental security gaps by Mozilla Observatory.
Conclusion:
The current grade for security is C (55/100) that indicates the site has a balanced
security stance with numerous countermeasures properly in place, yet falls short of
optimal practice.
For a better grade of A or A+, the website needs to apply a Content Security Policy
(CSP), require HTTP to HTTPS redirection, add HSTS max-age to one year, and
include Subresource Integrity (SRI) for foreign resources.
Once these enhancements are implemented, the site would enjoy full protection from
typical threats such as cross-site scripting, clickjacking, MIME sniffing, insecure
traffic interception, and cross-origin data leaks.
All in all, the site is going in the right direction with solid contemporary headers, but
needs to tackle the missing foundation protections in order to offer full and industry-
standard web security.

Question 2: https://securityheaders.com
Aim:
To analyze the HTTP response headers of a website using SecurityHeaders.com and
identify missing or misconfigured headers that may cause security vulnerabilities.

Procedure:
1. Open the website https://securityheaders.com and type the URL of the target
website into the search box.
2. Select the option to hide results if you want privacy.
3. Click on the Scan button and note the Grade (A+ to F) displayed at the top.
4. Check the list of detected headers and identify which headers are present and
missing.
5. Record the security risks associated with missing headers.
6. Summarize the overall findings.
Question 3: DEMO WEBSITES
(a) http://testphp.vulnweb.com/

Observation:
1) The site earned an overall Grade: F, marking very weak security posture.
2) The site is served via HTTP rather than HTTPS, and it is thus susceptible to
interception and man-in-the-middle attacks.
3) The following crucial security headers are absent:
• Content-Security-Policy (CSP) avoids XSS by limiting sources of content.
• X-Frame-Options: It guards against clickjacking attacks.
• X-Content-Type-Options: It avoids MIME-sniffing attacks.
• Referrer-Policy: It manages information leakage via the Referer header.
• Permissions-Policy: It limits browser features and APIs.
4) Raw Headers indicate Server: nginx/1.19.0 and X-Powered-By: PHP/5.6.40,
disclosing sensitive information regarding the backend technology.
5) There are some future headers (COEP, COOP, CORP) which have not yet been
implemented.
6) Content is gzip compressed but doesn't address missing security headers.

Interpretation:

1. The missing CSP header leaves the site open to Cross-Site Scripting (XSS) attacks,
which can allow attackers to inject malicious scripts.
2. The absence of X-Frame-Options makes the site vulnerable to clickjacking attacks,
where users may be tricked into clicking hidden elements.
3. Without X-Content-Type-Options, browsers may MIME-sniff content and execute
unintended scripts, increasing XSS risk.
4. The lack of Referrer-Policy causes unnecessary leakage of sensitive URLs to
external sites.
5. The absence of Permissions-Policy means features like geolocation, microphone, or
camera could be abused if enabled by default.
6. Running the site on HTTP means all communications are insecure, exposing data to
interception and modification.
7. The Server and X-Powered-By headers disclose technology stack versions, which
attackers could use for fingerprinting and exploiting known vulnerabilities.

Conclusion:

1. The website is highly insecure as it received an overall grade of F on the security

headers test.
2. The absence of HTTPS makes the site vulnerable to data interception and man-in-
the-middle attacks.
3. Missing critical headers such as CSP, X-Frame-Options, X-Content-Type-Options,
Referrer-Policy, and Permissions-Policy expose the site to various security risks.
4. The lack of proper protections increases the chances of XSS, clickjacking, MIME-
sniffing, and sensitive data leakage attacks.
5. The server details, including nginx and PHP version, are publicly exposed, which
could allow attackers to exploit known vulnerabilities.
6. The overall security posture of the website must be improved by enforcing
encryption, adding necessary headers, and hiding unnecessary server information.

(b) http://demo.testfire.net/

Observation:
1. The website scored an F in the security headers report, reflecting a weak security
posture.
2. The website is served via HTTP and is not redirected to HTTPS, leaving the
communications unencrypted.
3. Critical headers like Content-Security-Policy, X-Frame-Options, X-Content-Type-
Options, Referrer-Policy, and Permissions-Policy are absent.
4. The server is Apache-Coyote/1.1, and server information is publicly visible.
5. A JSESSIONID cookie is being set without the SameSite attribute, which makes it
potentially susceptible to CSRF (Cross-Site Request Forgery).
6. The website does not apply contemporary security headers such as Cross-Origin-
Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.

Interpretation:

1. The lack of HTTPS exposes user data to interception and man-in-the-middle

attacks.
2. Missing Content-Security-Policy makes the application more prone to XSS (Cross-
Site Scripting) attacks.
3. The absence of X-Frame-Options allows the site to be embedded in iframes,
making it vulnerable to clickjacking.
4. Without X-Content-Type-Options, browsers may attempt MIME-sniffing,
increasing the risk of malicious code execution.
5. The missing Referrer-Policy may lead to leakage of sensitive URL information
when navigating between sites.
6. Absence of Permissions-Policy leaves browser APIs unrestricted, which can be
exploited by attackers.
7. Exposure of the server software version and lack of SameSite protection in cookies
create additional attack vectors.

Conclusion:

1. The website is insecure and has major vulnerabilities due to missing essential
security headers.
2. The absence of HTTPS means the site fails to protect communication
confidentiality and integrity.
3. Missing headers make the website susceptible to XSS, clickjacking, MIME-
sniffing, and data leakage.
4. The insecure cookie configuration increases the risk of CSRF and session
hijacking.
5. Disclosure of server details provides attackers with useful information to exploit
known vulnerabilities.
6. The overall security configuration of this website is outdated and requires
immediate remediation by enforcing encryption, adding security headers, and
securing cookies.
Question 4: 3 NEW DEMO WEBSITES
(a) https://www.uat.siemens-energy.com/

1. Observation:
The site was awarded a general security rating of F.
2. A number of important headers are absent, such as Strict-Transport-Security,
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-
Policy, and Permissions-Policy.
3. The response provided an HTTP/2 401 Unauthorized code, stating access
limitations.
4. A warning indicates that the response is not HTML, so maybe the page headers
were not completely scanned by the scan.
5. The server header identifies "C2 Comms Cloud", which reveals backend tech
information.
6. Cookies and other safeguards like SameSite were not seen in the scan.
7. Future headers like Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy,
and Cross-Origin-Resource-Policy are not being implemented.
Interpretation:

1. The missing Strict-Transport-Security weakens HTTPS enforcement, making the

site vulnerable to downgrade attacks.
2. The absence of a Content-Security-Policy increases the risk of cross-site scripting
(XSS) and malicious resource injection.
3. Without X-Frame-Options, the site is exposed to clickjacking attacks.
4. Missing X-Content-Type-Options allows MIME-sniffing, potentially leading to
malicious content execution.
5. No Referrer-Policy means sensitive URL information may leak during navigation.
6. Missing Permissions-Policy allows unnecessary browser features and APIs,
expanding the attack surface.
7. The disclosure of the server type (C2 Comms Cloud) can help attackers in
fingerprinting and targeting known vulnerabilities.
8. The 401 Unauthorized response means the main site might be access-controlled,
but the security headers should still be properly configured for error pages.

Conclusion:

1. The website is currently rated as insecure, with a failing grade due to missing
critical security headers.
2. Even though the site requires authentication (401 Unauthorized), the lack of proper
headers still leaves it exposed to potential security risks.
3. Weak or missing security headers increase the chances of XSS, clickjacking,
MIME-sniffing, and sensitive data exposure.
4. The disclosure of server information provides attackers with unnecessary technical
insights.
5. To improve its security posture, the site must enforce HTTPS with HSTS, add
CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and
Permissions-Policy, while also minimizing server information exposure.

(b) https://alpha.moh.gov.my/

Observation:

1. The site received a security grade of D, which shows partial implementation of

security headers.
2. The Strict-Transport-Security (HSTS) header is present with strong settings (max-
age=31536000; includeSubDomains; preload).
3. Critical headers such as Content-Security-Policy (CSP), X-Frame-Options, X-
Content-Type-Options, Referrer-Policy, and Permissions-Policy are missing.
4. The server is running on nginx, and the version details are exposed, which could
increase risk.
5. The site supports HTTPS with compression (gzip) and returns a 200 OK response.
6. Upcoming headers like Cross-Origin-Embedder-Policy, Cross-Origin-Opener-
Policy, and Cross-Origin-Resource-Policy are not implemented.
Interpretation:
1. The presence of HSTS ensures that browsers will enforce secure HTTPS
connections, reducing the risk of downgrade and man-in-the-middle attacks.
2. The absence of a CSP means the website is vulnerable to cross-site scripting (XSS)
attacks, as it cannot restrict malicious scripts.
3. Without X-Frame-Options, the site is exposed to clickjacking attacks, where
attackers could load the site in hidden frames.
4. Missing X-Content-Type-Options allows browsers to MIME-sniff, which may lead
to malicious file execution.
5. The lack of a Referrer-Policy may result in sensitive information being leaked
when users navigate to external sites.
6. The absence of Permissions-Policy makes it impossible to control the use of
features like camera, microphone, or geolocation, leading to potential misuse.
7. Server information disclosure (nginx) can help attackers craft targeted attacks
based on known vulnerabilities.
8. The partial implementation of headers indicates that while the site has some
baseline security, it still lacks critical protections for modern web threats.

Conclusion:

1. The site demonstrates a moderate level of security with HSTS properly configured,
but it is still graded D, showing significant gaps.
2. The missing headers such as CSP, X-Frame-Options, and X-Content-Type-Options
create major vulnerabilities that attackers could exploit.
3. Sensitive data leakage, XSS, and clickjacking attacks remain possible due to
incomplete header implementation.
4. The server’s nginx disclosure increases the risk of targeted exploits if not patched
or hardened.
5. Overall, the website’s security posture is weak, and immediate improvements are
needed by implementing all missing headers and hardening the server
configuration.
(c) https://admin.demo.events.dc.siemens-energy.com/

Observation:

1. The website received an overall grade of A, which shows it already follows strong
baseline security practices.
2. The security headers X-Frame-Options, X-XSS-Protection, X-Content-Type-
Options, Referrer-Policy, Strict-Transport-Security, and Permissions-Policy are
properly configured, providing protection against clickjacking, MIME-sniffing,
and insecure referrer leakage.
3. The Content-Security-Policy (CSP) header is missing, which leaves the site
exposed to potential Cross-Site Scripting (XSS) attacks.
4. The upcoming headers Cross-Origin-Embedder-Policy (COEP), Cross-Origin-
Opener-Policy (COOP), and Cross-Origin-Resource-Policy (CORP) are not yet
implemented, although they are recommended for additional cross-origin security.
5. The Server header is disclosing the server software (nginx), which can help
attackers fingerprint the system and plan targeted attacks.

Interpretation:
1. The fact that there are important headers present means that the site is already
secure against most attacks like clickjacking, MIME-sniffing, and insecure referrer
leakage.
2. The Strict-Transport-Security (HSTS) header enforces all communication to take
place over HTTPS, which makes TLS enforcement even more robust and defends
users against downgrade attacks.
3. The lack of Content-Security-Policy (CSP) is the most notable problem because
CSP is one of the best defenses against XSS attacks and malicious resource
loading.
4. The existing Permissions-Policy setup is too lenient because it enables features like
camera, autoplay, and fullscreen, which could make unnecessary browser APIs
available to attackers for abuse.
 5. The server disclosure in the response header degrades security posture, as attackers
can exploit known vulnerabilities in the particular server software based on this
information.
Conclusion:
1. The website already has a strong security posture with an A grade and most of the
critical headers in place.
2. The most urgent improvement is to implement a Content-Security-Policy (CSP) to
mitigate XSS and limit resource loading to trusted domains.
3. The Permissions-Policy should be restricted further to follow the principle of least
privilege and only enable features required by the application.
4. The Server header should be hidden or masked to prevent unnecessary exposure of
software details.
5. The adoption of modern cross-origin headers (COEP, COOP, and CORP) would
strengthen the site against advanced browser-based attacks and future-proof its
security.