April 19, 2020
Estimated Post Reading Time ~

Online Security Scan tool for any website

Use-case:
How to perform online - Website Vulnerability Scanner Report

Solution:
Go to this URL: https://pentest-tools.com/home
Input the website URL https://www.test.com/ under the webserver scan tab
Click on the scan , it will generate the report and it will have various scanning parameters.

This tool focus on below Areas



List of tests performed (10/10)
  1. Fingerprinting the server software and technology...
  2. Checking for vulnerabilities of server-side software...
  3. Analyzing the security of HTTP cookies...
  4. Analyzing HTTP security headers...
  5. Checking for secure communication...
  6. Checking robots.txt file...
  7. Checking client access policies...
  8. Checking for directory listing (quick scan)...
  9. Checking for password auto-complete (quick scan)...
  10. Checking for clear-text submission of passwords (quick scan)...
  11. Server software and technology found
Software / Version Category

Insecure HTTP cookies
Cookie Name               Flags missing
AWSELB Secure,             HttpOnly
Details

Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session. 

Recommendation:
We recommend reconfiguring the web server in order to set the flag(s) Secure, HttpOnly to all sensitive cookies. 

More information about this issue:


By aem4beginner
Posted by at
Labels:

No comments:

Post a Comment

If you have any doubts or questions, please let us know.