Delhi Ford 1

Acunetix Website Audit
21 September, 2019
Developer Report
Generated by Acunetix WVS Reporter (v9.5 Build 20140602)

Scan of http://www.delhiford.com:80/
Scan details
Scan information
Start time 9/20/2019 10:27:57 PM
Finish time 9/21/2019 1:01:55 AM
Scan time 2 hours, 33 minutes
Profile Default
Server information
Responsive True
Server banner Microsoft-IIS/8.5
Server OS Windows
Server technologies ASP.NET
Threat level
Acunetix Threat Level 1
One or more low-severity type vulnerabilities have been discovered by the scanner.
Alerts distribution
Total alerts found 4

High 0
Medium 0
Low 4
Informational 0
Alerts summary
Clickjacking: X-Frame-Options header missing

Classification
CVSS Base Score: 6.8
- Access Vector: Network

- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
CWE CWE-693
Affected items Variation
Web Server s1
Acunetix Website Audit 2

File upload
Classification

- Access Complexity: Low
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
CWE CWE-16
/career.aspx s1
OPTIONS method is enabled

Classification

- Confidentiality Impact: Partial
CWE CWE-200
Web Server s1
Session Cookie without Secure flag set

Classification

- Confidentiality Impact: None
CWE CWE-16
/ s1

Alert details
Clickjacking: X-Frame-Options header missing
Severity Low
Type Configuration
Reported by module Scripting (Clickjacking_X_Frame_Options.script)
Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web
user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing
confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking
attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be
allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their
content is not embedded into other sites.
Impact
The impact depends on the affected web application.
Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about
the possible values for this header.
References
Original Clickjacking paper
Clickjacking
The X-Frame-Options response header
Affected items
Web Server
Details
No details are available.
Request headers
GET / HTTP/1.1
Cookie: ASP.NET_SessionId=h2upeouiwedcdpxi2jivordy
Host: www.delhiford.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

File upload
Severity Low
Type Informational
Reported by module Crawler
Description
This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as
pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could
send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
Impact
If the uploaded files are not safely checked an attacker may upload malicious files.
Recommendation
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist
approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like
.htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so
the files within it are not executable. If possible, rename the files that are uploaded.
Affected items
/career.aspx
Details
Form name: <empty>
Form action: http://www.delhiford.com/career.aspx
Form method: POST
Form inputs:
- __EVENTTARGET [Hidden]
- __EVENTARGUMENT [Hidden]
- __VIEWSTATE [Hidden]
- __VIEWSTATEGENERATOR [Hidden]
- __EVENTVALIDATION [Hidden]
- ctl00$ContentPlaceHolder1$Textbox1 [Text]
- ctl00$ ... (line truncated)
Request headers
GET /career.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.delhiford.com/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

OPTIONS method is enabled
Severity Low
Type Validation
Reported by module Scripting (Options_Server_Method.script)
Description
HTTP OPTIONS method is enabled on this web server. The OPTIONS method provides a list of the methods that are
supported by the web server, it represents a request for information about the communication options available on the
request/response chain identified by the Request-URI.
Impact
The OPTIONS method may expose sensitive information that may help an malicious user to prepare more advanced
attacks.
Recommendation
It's recommended to disable OPTIONS Method on the web server.
References
Testing for HTTP Methods and XST (OWASP-CM-008)
Affected items
Web Server
Details
Methods allowed: OPTIONS, TRACE, GET, HEAD, POST
Request headers
OPTIONS / HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

Session Cookie without Secure flag set
Severity Low
Type Informational
Reported by module Crawler
Description
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs the browser that the
cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.
Impact
None
Recommendation
If possible, you should set the Secure flag for this cookie.
Affected items
/
Details
Cookie name: "ASP.NET_SessionId"
Cookie domain: "www.delhiford.com"
Request headers
GET / HTTP/1.1
Chrome/28.0.1500.63 Safari/537.36
Accept: */*

Scanned items (coverage report)
Scanned 53 URLs. Found 2 vulnerable.
URL: http://www.delhiford.com/
Vulnerabilities has been identified for this URL
4 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
__VIEWSTATE URL encoded POST
__VIEWSTATEGENERATOR URL encoded POST
Input scheme 2
/ Path Fragment (suffix .aspx)
Input scheme 3
Host HTTP Header
URL: http://www.delhiford.com/figo.aspx
No vulnerabilities has been identified for this URL
Inputs
Input scheme 1
__EVENTVALIDATION URL encoded POST
ctl00%24ContentPlaceHolder1%24Button1 URL encoded POST
URL: http://www.delhiford.com/career.aspx
Vulnerabilities has been identified for this URL
Inputs
Input scheme 1
__EVENTARGUMENT POST (multipart)
__EVENTTARGET POST (multipart)
__EVENTVALIDATION POST (multipart)
__VIEWSTATE POST (multipart)
__VIEWSTATEGENERATOR POST (multipart)
ctl00$ContentPlaceHolder1$Button1 POST (multipart)
ctl00$ContentPlaceHolder1$FileUpload1 POST (multipart)
ctl00$ContentPlaceHolder1$Textbox1 POST (multipart)
ctl00$ContentPlaceHolder1$TextBox4 POST (multipart)
Input scheme 2
__EVENTARGUMENT POST (multipart)
__EVENTTARGET POST (multipart)
__EVENTVALIDATION POST (multipart)
__LASTFOCUS POST (multipart)

__VIEWSTATE POST (multipart)
__VIEWSTATEGENERATOR POST (multipart)
ctl00$ContentPlaceHolder1$Button1 POST (multipart)
ctl00$ContentPlaceHolder1$FileUpload1 POST (multipart)
ctl00$ContentPlaceHolder1$TextBox4 POST (multipart)
URL: http://www.delhiford.com/aspire.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/app.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/images/
No input(s) found for this URL
URL: http://www.delhiford.com/images/vehivles/
URL: http://www.delhiford.com/images/metallic
URL: http://www.delhiford.com/images/car_colors/
URL: http://www.delhiford.com/images/endeavour/
URL: http://www.delhiford.com/default.aspx
Inputs
Input scheme 1

Input scheme 2
aspxerrorpath URL encoded GET
Input scheme 3
aspxerrorpath URL encoded GET
URL: http://www.delhiford.com/contact.aspx
Inputs
Input scheme 1
__EVENTARGUMENT URL encoded POST
__EVENTTARGET URL encoded POST
ctl00%24ContentPlaceHolder1%24TextBox1 URL encoded POST
Input scheme 2
__LASTFOCUS URL encoded POST
Input scheme 3

g-recaptcha-response URL encoded POST
Input scheme 4
URL: http://www.delhiford.com/mustang.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/ecosport.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/css/
URL: http://www.delhiford.com/css/theme.css
URL: http://www.delhiford.com/css/mobile.css
URL: http://www.delhiford.com/css/metallic.css

URL: http://www.delhiford.com/css/gallery.css
URL: http://www.delhiford.com/freestyle.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/endeavour.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/book_service.aspx
Inputs
Input scheme 1
ctl00%24ContentPlaceHolder1%24Dropdownlist1 URL encoded POST
ctl00%24ContentPlaceHolder1%24DropDownList2 URL encoded POST
ctl00%24ContentPlaceHolder1%24Textbox1 URL encoded POST
Input scheme 2
Input scheme 3
Input scheme 4
URL: http://www.delhiford.com/engine4/

URL: http://www.delhiford.com/engine4/style.css
URL: http://www.delhiford.com/engine4/jquery.js
URL: http://www.delhiford.com/engine4/wowslider.js
URL: http://www.delhiford.com/engine4/script.js
URL: http://www.delhiford.com/special_offer.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/book_test_drive.aspx
Inputs
Input scheme 1
ctl00%24ContentPlaceHolder1%24ab URL encoded POST
Input scheme 2

Input scheme 3
Input scheme 4
URL: http://www.delhiford.com/data4/
URL: http://www.delhiford.com/data4/images/
URL: http://www.delhiford.com/index_files
URL: http://www.delhiford.com/index_files/vlb_images1
URL: http://www.delhiford.com/js/
URL: http://www.delhiford.com/js/zebra_datepicker.js
URL: http://www.delhiford.com/js/core.js
URL: http://www.delhiford.com/js/chagecarcolor.js
URL: http://www.delhiford.com/js/custom.js
URL: http://www.delhiford.com/js/myjs.js
URL: http://www.delhiford.com/js/pdfobject.js
URL: http://www.delhiford.com/robots.txt
URL: http://www.delhiford.com/pricelist.aspx
Inputs
Input scheme 1
%20name URL encoded GET
Input scheme 2
Input scheme 3
%20name URL encoded GET
URL: http://www.delhiford.com/comparison.aspx
Inputs
Input scheme 1
name URL encoded GET
Input scheme 2
Input scheme 3
name URL encoded GET
URL: http://www.delhiford.com/figo_gallery.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/figo_variants.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/webresource.axd
Inputs
Input scheme 1
d URL encoded GET
t URL encoded GET
URL: http://www.delhiford.com/aspire_gallery.aspx
Inputs

Input scheme 1
URL: http://www.delhiford.com/aspire_variants.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/ecosport_gallery.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/ecosport_variants.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/endeavour_gallery.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/endeavour_variants.aspx
Inputs
Input scheme 1
URL: http://www.delhiford.com/files/

Delhi Ford 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Delhi Ford 1

Uploaded by

Copyright:

Available Formats

Acunetix Website Audit

Generated by Acunetix WVS Reporter (v9.5 Build 20140602)

Total alerts found 4

Clickjacking: X-Frame-Options header missing

- Access Vector: Network

Acunetix Website Audit 2

- Access Vector: Network

OPTIONS method is enabled

- Access Vector: Network

Session Cookie without Secure flag set

- Access Vector: Network

Acunetix Website Audit 3

Clickjacking: X-Frame-Options header missing

Acunetix Website Audit 4

Acunetix Website Audit 5

Acunetix Website Audit 6

Acunetix Website Audit 7

Acunetix Website Audit 8

Acunetix Website Audit 9

Acunetix Website Audit 10

Acunetix Website Audit 11

Acunetix Website Audit 13

Acunetix Website Audit 14

Acunetix Website Audit 17

Acunetix Website Audit 18

You might also like