Comprehensive New Https Public Riamoneytransfer Com

Comprehensive Report
Acunetix Threat Level 1

LOW
One or more low-severity type vulnerabilities have been discovered by the scanner.
Scan Detail
Target https://public.riamoneytransfer.com/
Scan Type Full Scan
Start Time Sep 21, 2021, 6:58:24 PM GMT+2
Scan Duration 30 minutes
Requests 1783
Average Response Time 499ms
Maximum Response Time 13224ms
Discovered Hosts riamoneytransfer.be
riamoneytransfer.com
0 0 4 2
High Medium Low Informational
Severity Vulnerabilities Instances
High 0 0
Medium 0 0
Low 4 4
Informational 2 2
Total 6 6
1
2
Informational
Instances
Access-Control-Allow-Origin header with wild… 1
Web Application Firewall detected 1
Low Severity
Instances
Cookies with missing, inconsistent or contrad… 1
Cookies without HttpOnly flag set 1
Cookies without Secure flag set 1
Others 1
3
Impacts
SEVERITY IMPACT

Low 1
Cookies with missing, inconsistent or contradictory properties

Low 1
Cookies without HttpOnly flag set

Low 1
Cookies without Secure flag set

Low 1
Session cookies scoped to parent domain

Informational 1
Access-Control-Allow-Origin header with wildcard (*) value

Informational 1
Web Application Firewall detected
4
Cookies with missing, inconsistent or contradictory
properties
At least one of the following cookies properties causes the cookie to be invalid or incompatible with either
a different property of the same cookie, of with the environment the cookie is being used in. Although this
is not a vulnerability in itself, it will likely lead to unexpected behavior by the application, which in turn
may cause secondary security issues.
Impact
Cookies will not be stored, or submitted, by web browsers.
https://public.riamoneytransfer.com/ Verified
List of cookies with missing, inconsistent or contradictory properties:
https://public.riamoneytransfer.com/
Cookie was set with:
Set-Cookie:
TS013e9518=0145201f852409125d5a6ce3e534ec8bb880360ad171b34500cff0dcf82d7d8827fefa
1ff60ba83d0bad9eec4cfbe28497e3d72897; Path=/; Domain=.riamoneytransfer.com
This cookie has the following issues:
- Cookie without SameSite attribute.
When cookies lack the SameSite attribute, Web browsers may apply different and
sometimes unexpected defaults. It is therefore recommended to add a SameSite
attribute with an appropriate value of either "Strict", "Lax", or "None".
Set-Cookie:
TS7d475593027=08e03c57a8ab2000817d9d0c65770705fa70a1bf2349546535675030aa25f1b15bb
07ba6e0e5664808c18f20ed11300012e59b41b63cac66b24d798c8c97f47e8ad1918e95e1aec1129f
6e6d797ae4f3cde34b1c59c154ed444576030c7a9749;Path=/
5
https://public.riamoneytransfer.com/9773732
Set-Cookie:
TS013e9518=0145201f85dd732ce45914f94e901062b25fb7a1124ad216e207634fa5b5bae9067b90
1f329aed6b3f4e1add933b52f4b435bfc474; Path=/; Domain=.riamoneytransfer.com
Set-Cookie:
TS7d475593027=08e03c57a8ab20004258375c490e63f631f7ccdd494675332a16af45d8123340182
d8f9c20153e92084deea1be1130000d9cdf1aa268aa0896eddfde7fab104cc632dd55c170ca2ae68d
3eecd2a1c7d20ae9ac9bf37d86d7eedee138df9a18c8;Path=/
Set-Cookie:
TS013e9518=0145201f85a68db3d98eb06cfb6f4373a806663dba9ae1b79b44b638a948477e11e476
9d78b04a83abbcd433b923747accd556764b; Path=/; Domain=.riamoneytransfer.com
6
Set-Cookie:
TS7d475593027=08e03c57a8ab2000b28edee6040ae9ade703028e6124bcf6e9fcb83bdcd0befe8ed
877def20e0e3a0870d9f25a113000dcbc2fce909ca35054daae69f43428ade2936e50310d001c6d38
3e365ccaa33e37352f4a94ccb812190c338888bc02ba;Path=/
Set-Cookie:
7
Set-Cookie:
TS7d475593027=08e03c57a8ab2000cac12d744855df04f350ed0ee7c065d56ad6f0c2e0596e7ff1e
7545de1732f4708c3eb172c11300048afa23bbd2b79af54daae69f43428ad1a8466d6e3f6a706a9d5
d37a407bd2277abac210a076a29f4f3dacafa5bfe271;Path=/
Request
GET / HTTP/1.1

Acunetix-Aspect: enabled

Acunetix-Aspect-Password: a0bf8055ccec2c04b35d6a15476e0ba1

Acunetix-Aspect-ScanID: 14174106889640333128

Acunetix-Aspect-Queries: filelist;aspectalerts;packages

Referer: https://public.riamoneytransfer.com/

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/92.0.4512.0 Safari/537.36

Host: public.riamoneytransfer.com

Connection: Keep-alive

Recommendation
Ensure that the cookies configuration complies with the applicable standards.
References
MDN | Set-Cookie
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Securing cookies with cookie prefixes
https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
Cookies: HTTP State Management Mechanism
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05
SameSite Updates - The Chromium Projects

https://www.chromium.org/updates/same-site
draft-west-first-party-cookies-07: Same-site Cookies
https://tools.ietf.org/html/draft-west-first-party-cookies-07
8
Cookies without HttpOnly flag set
One or more cookies don't have the HttpOnly flag set. When a cookie is set with the HttpOnly flag, it
instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This
is an important security protection for session cookies.
Impact
Cookies can be accessed by client-side scripts.
Cookies without HttpOnly flag set:
Set-Cookie:
Set-Cookie:
Set-Cookie:
9
Set-Cookie:
Set-Cookie:
Set-Cookie:
Set-Cookie:
Set-Cookie:
Request
GET / HTTP/1.1






10


Chrome/92.0.4512.0 Safari/537.36



Recommendation
If possible, you should set the HttpOnly flag for these cookies.
Cookies without Secure flag set

One or more cookies does not have the Secure flag set. When a cookie is set with the Secure flag, it
instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an
important security protection for session cookies.
Impact
Cookies could be sent over unencrypted channels.
Cookies without Secure flag set:
Set-Cookie:
Set-Cookie:
11
Set-Cookie:
Set-Cookie:
Set-Cookie:
Set-Cookie:
Set-Cookie:
Set-Cookie:
12
Request
GET / HTTP/1.1








Chrome/92.0.4512.0 Safari/537.36



Recommendation
If possible, you should set the Secure flag for these cookies.
Session cookies scoped to parent domain

One ore more session cookies are scoped to the parent domain instead of a sub-domain. If a cookie is
scoped to a parent domain, then this cookie will be accessible by the parent domain and also by any other
sub-domains of the parent domain. This could lead to security problems.
Impact
None
Session cookies scoped to parent domain:
Set-Cookie:
13
Set-Cookie:
Set-Cookie:
Set-Cookie:
Request
GET / HTTP/1.1








Chrome/92.0.4512.0 Safari/537.36



Recommendation
If possible, the session cookies should be scoped strictly to a sub-domain.
Access-Control-Allow-Origin header with wildcard

(*) value
14
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web
page to be requested from another domain outside the domain from which the resource originated. The
Access-Control-Allow-Origin header indicates whether a resource can be shared based on the value of the
Origin request header, "*", or "null" in the response.
If a website responds with Access-Control-Allow-Origin: * the requested resource allows sharing with
every origin. Therefore, any website can make XHR (XMLHTTPRequest) requests to the site and access the
responses.
Impact
Any website can make XHR requests to the site and access the responses.
Affected paths (max. 25):
/
/9773732
Request
GET / HTTP/1.1

Origin: https://public.riamoneytransfer.com

Cookie:
TS013e9518=0145201f852409125d5a6ce3e534ec8bb880360ad171b34500cff0dcf82d7d8827fefa1ff60ba83d0bad9eec4
cfbe28497e3d72897;
TS7d475593027=08e03c57a8ab2000817d9d0c65770705fa70a1bf2349546535675030aa25f1b15bb07ba6e0e5664808c18f
20ed11300012e59b41b63cac66b24d798c8c97f47e8ad1918e95e1aec1129f6e6d797ae4f3cde34b1c59c154ed444576030c
7a9749



Chrome/92.0.4512.0 Safari/537.36



Recommendation
Check whether Access-Control-Allow-Origin: * is appropriate for the resource/response.
References
Test Cross Origin Resource Sharing (OTG-CLIENT-007)

https://www.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)
Cross-origin resource sharing
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Cross-Origin Resource Sharing
15
http://www.w3.org/TR/cors/
CrossOriginRequestSecurity
https://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header

https://www.acunetix.com/blog/web-security-zone/cross-origin-resource-sharing-cors-access-control-
allow-origin-header/
PortSwigger Research on CORS misconfiguration

https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
Web Application Firewall detected

This server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or an
WAF (Web Application Firewall). Acunetix detected this by sending various malicious payloads and
detecting changes in the response code, headers and body.
Impact
You may receive incorrect/incomplete results when scanning a server protected by an IPS/IDS/WAF. Also, if
the WAF detects a number of attacks coming from the scanner, the IP address can be blocked after a few
attempts.
Detected F5 ASM (11.4.0 or newer) from [Main ASM Cookie]
Request
GET /9773732 HTTP/1.1

Cookie:
TS013e9518=0145201f852409125d5a6ce3e534ec8bb880360ad171b34500cff0dcf82d7d8827fefa1ff60ba83d0bad9eec4
cfbe28497e3d72897;
TS7d475593027=08e03c57a8ab2000817d9d0c65770705fa70a1bf2349546535675030aa25f1b15bb07ba6e0e5664808c18f
20ed11300012e59b41b63cac66b24d798c8c97f47e8ad1918e95e1aec1129f6e6d797ae4f3cde34b1c59c154ed444576030c
7a9749



Chrome/92.0.4512.0 Safari/537.36



Recommendation
16
If possible, it's recommended to scan an internal (development) version of the web application where the
WAF is not active.
17
Coverage

https://public.riamoneytransfer.com

9773732
18

Comprehensive New Https Public Riamoneytransfer Com

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comprehensive New Https Public Riamoneytransfer Com

Uploaded by

Copyright:

Available Formats

Comprehensive Report

Acunetix Threat Level 1

Severity Vulnerabilities Instances

List of cookies with missing, inconsistent or contradictory properties:

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

SameSite Updates - The Chromium Projects

Cookies without HttpOnly flag set:

Cookies without Secure flag set

Cookies without Secure flag set:

Session cookies scoped to parent domain

Session cookies scoped to parent domain:

Access-Control-Allow-Origin header with wildcard

Test Cross Origin Resource Sharing (OTG-CLIENT-007)

Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header

PortSwigger Research on CORS misconfiguration

Web Application Firewall detected

You might also like