Comprehensive New Https Tech Jobs Credit Agricole Com

Comprehensive Report
Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been
HIGH discovered by the scanner. A malicious user can exploit these
vulnerabilities and compromise the backend database and/or
deface your website.
Scan Detail
Target https://tech-jobs.credit-agricole.com
Scan Type Full Scan
Start Time May 5, 2023, 4:06:24 PM GMT+3
Scan Duration 1 hour, 15 minutes
Requests 98818
Average Response Time 193ms
Maximum Response Time 10199ms
1
1 1 5 6
High Medium Low Informational
Severity Vulnerabilities Instances
High 1 1
Medium 1 1
Low 5 5
Informational 6 6
Total 13 13
2
Informational
Instances
Content Security Policy (CSP) not implemented 1
File uploads 1
Outdated JavaScript libraries 1
Others 3
Low Severity
Instances
Clickjacking: X-Frame-Options header 1
Documentation files 1
HTTP Strict Transport Security (HSTS) not imp… 1
Others 2
Medium Severity
Instances
TLS 1.1 enabled 1
High Severity
Instances
TLS 1.0 enabled 1
3
Impacts
SEVERITY IMPACT
High 1 TLS 1.0 enabled
Medium 1 TLS 1.1 enabled
Low 1 Clickjacking: X-Frame-Options header
Low 1 Documentation files
Low 1 HTTP Strict Transport Security (HSTS) not implemented
Low 1 WordPress admin accessible without HTTP authentication
Low 1 WordPress REST API User Enumeration
Informational 1 Content Security Policy (CSP) not implemented
Informational 1 File uploads
Informational 1 Outdated JavaScript libraries
Informational 1 Permissions-Policy header not implemented
Informational 1 PHP Version Disclosure
Informational 1 Subresource Integrity (SRI) not implemented
4
TLS 1.0 enabled
The web server supports encryption through TLS 1.0, which was formally deprecated in March 2021 as a
result of inherent security issues. In addition, TLS 1.0 is not considered to be "strong cryptography" as
defined and required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information
transferred to or from web sites. According to PCI, "30 June 2018 is the deadline for disabling SSL/early
TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly
encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
Impact
An attacker may be able to exploit this problem to conduct man-in-the-middle attacks and decrypt
communications between the affected service and clients.
https://tech-jobs.credit-agricole.com/ Confidence: 100%
The SSL server (port: 443) encrypts traffic using TLSv1.0.
Recommendation
It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher.
References
RFC 8996: Deprecating TLS 1.0 and TLS 1.1

https://tools.ietf.org/html/rfc8996
Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
PCI 3.1 and TLS 1.2 (Cloudflare Support)

https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2
TLS 1.1 enabled

The web server supports encryption through TLS 1.1, which was formally deprecated in March 2021 as a
result of inherent security issues. When aiming for Payment Card Industry (PCI) Data Security Standard
(DSS) compliance, it is recommended to use TLS 1.2 or higher instead. According to PCI, "30 June 2018 is
5
the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or
higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for
safeguarding payment data.
Impact
An attacker may be able to exploit this problem to conduct man-in-the-middle attacks and decrypt
communications between the affected service and clients.
The SSL server (port: 443) encrypts traffic using TLSv1.1.
Recommendation
It is recommended to disable TLS 1.1 and replace it with TLS 1.2 or higher.
References
RFC 8996: Deprecating TLS 1.0 and TLS 1.1

https://tools.ietf.org/html/rfc8996
Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
PCI 3.1 and TLS 1.2 (Cloudflare Support)
https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2
Clickjacking: X-Frame-Options header

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of
tricking a Web user into clicking on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of their computer while clicking on
seemingly innocuous web pages.
The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means
that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can
be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe.
Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into
untrusted sites.
6
Impact
The impact depends on the affected web application.
https://tech-jobs.credit-agricole.com/
Paths without secure XFO header:
https://tech-jobs.credit-agricole.com/questionnaire/
Request
GET /questionnaire/ HTTP/1.1
Host: tech-jobs.credit-agricole.com
accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
accept-language: en-US
Purpose: prefetch
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: empty
Referer: https://tech-jobs.credit-agricole.com/
Accept-Encoding: gzip,deflate,br
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/108.0.0.0 Safari/537.36
Recommendation
Configure your web server to include an X-Frame-Options header and a CSP header with frame-ancestors
directive. Consult Web references for more information about the possible values for this header.
References
The X-Frame-Options response header

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Clickjacking
https://en.wikipedia.org/wiki/Clickjacking
OWASP Clickjacking
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
Frame Buster Buster

https://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed
7
Documentation files
One or more documentation files (e.g. readme.txt, changelog.txt, ...) were found. The information
contained in these files could help an attacker identify the web application you are using and sometimes
the version of the application. It's recommended to remove these files from production systems.
Impact
These files may disclose sensitive information. This information can be used to launch further attacks.
Documentation files:
https://tech-jobs.credit-agricole.com/license.txt
File contents (first 100 characters):
WordPress - Web publishing software
Copyright 2011-2023 by the contributors
This program is free s ...
Request
GET /license.txt HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: Keep-alive
Recommendation
Remove or restrict access to all documentation file acessible from internet.
HTTP Strict Transport Security (HSTS) not

implemented
8
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable using HTTPS. It was
detected that your web application doesn't implement HTTP Strict Transport Security (HSTS) as the Strict
Transport Security header is missing from the response.
Impact
HSTS can be used to prevent and/or mitigate some types of man-in-the-middle (MitM) attacks
URLs where HSTS is not enabled:
Request
Purpose: prefetch
Recommendation
It's recommended to implement HTTP Strict Transport Security (HSTS) into your web application. Consult
web references for more information
References
hstspreload.org
https://hstspreload.org/
Strict-Transport-Security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
9
WordPress admin accessible without HTTP
authentication
It's recommended to restrict access to the WordPress administration dashboard using HTTP
authentication. Password protecting your WordPress admin dashboard through a layer of HTTP
authentication is an effective measure to thwart attackers attempting to guess user's passwords.
Additionally, if attackers manage to steal a user's password, they will need to get past HTTP authentication
in order to gain access to WordPress login form.
Impact
No impact is associated with this vulnerability.
https://tech-jobs.credit-agricole.com/wp-admin/
Request
GET /wp-admin/ HTTP/1.1
Recommendation
Add server-side password protection (such as BasicAuth) to the /wp-admin/ directory. Consult web
references for more information.
References
Securing wp-admin
https://codex.wordpress.org/Hardening_WordPress
WordPress Security Tips Part 5 | Restrict Access to wp-admin Directory

https://www.acunetix.com/blog/articles/wordpress-security-wpadmin-directory/
WordPress REST API User Enumeration
10
WordPress includes a REST API that can be used to list the information about the registered users on a
WordPress installation. The REST API exposed user data for all users who had authored a post of a public
post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown
within the REST API.
Impact
An unauthenticated attacker can gain access to the list of users on a WordPress installation. This can be
exploited by bots that are launching brute-force password guessing attacks on WordPress websites.
Request
GET /wp-json/wp/v2/users HTTP/1.1
Recommendation
Install a WordPress plugin such as Stop User Enumeration. Stop User Enumeration is a security plugin
designed to detect and prevent hackers scanning your site for user names.
References
Stop User Enumeration

https://wordpress.org/plugins/stop-user-enumeration/
WordPress 4.7.1 Security and Maintenance Release

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Content Security Policy (CSP) not implemented

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types
of attacks, including Cross Site Scripting (XSS) and data injection attacks.
Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value
of this header is a string containing the policy directives describing your Content Security Policy. To
11
implement CSP, you should define lists of allowed origins for the all of the types of resources that your site
utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted
locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com;
It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP
header is missing from the response. It's recommended to implement Content Security Policy (CSP) into
your web application.
Impact
CSP can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site
scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious
use of iframes, such as clickjacking attacks, and others.
Paths without CSP header:
Request
Purpose: prefetch
Recommendation
It's recommended to implement Content Security Policy (CSP) into your web application. Configuring
Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and
12
giving it values to control resources the user agent is allowed to load for that page.
References
Content Security Policy (CSP)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Implementing Content Security Policy

https://hacks.mozilla.org/2016/02/implementing-content-security-policy/
File uploads
These pages allows visitors to upload files to the server. Various web applications allow users to upload
files (such as pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled
correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted
filename or mime type and execute arbitrary code.
Impact
If the uploaded files are not safely checked an attacker may upload malicious files.
Pages with file upload forms:
Form name: Questionnaire Credit Agricole

Form action: <empty>
Form method: POST
Form file input: form_fields[field_032e81c] [file]
Request
Purpose: prefetch
13
Recommendation
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded.
Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for
files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change
the permissions on the upload folder so the files within it are not executable. If possible, rename the files
that are uploaded.
Outdated JavaScript libraries

You are using an outdated version of one or more JavaScript libraries. A more recent version is available.
Although your version was not found to be affected by any security vulnerabilities, it is recommended to
keep libraries up to date.
Impact
Consult References for more information.
Lodash 1.13.6
URL: https://tech-jobs.credit-agricole.com/questionnaire/
Detection method: The library's name and version were determined based on its dynamic behavior.
References:
https://github.com/lodash/lodash/tags
Request
Purpose: prefetch
14
Recommendation
Upgrade to the latest version.
Permissions-Policy header not implemented

The Permissions-Policy header allows developers to selectively enable and disable use of various browser
features and APIs.
Impact
Locations without Permissions-Policy header:
https://tech-jobs.credit-agricole.com/xmlrpc.php
https://tech-jobs.credit-agricole.com/wp-json/oembed/1.0/embed
https://tech-jobs.credit-agricole.com/comments/feed/
https://tech-jobs.credit-agricole.com/cgu/
https://tech-jobs.credit-agricole.com/mentions-legales/
https://tech-jobs.credit-agricole.com/feed/
https://tech-jobs.credit-agricole.com/wp-json/
https://tech-jobs.credit-agricole.com/wp-admin/
https://tech-jobs.credit-agricole.com/license.txt
https://tech-jobs.credit-agricole.com/__ovhp/
https://tech-jobs.credit-agricole.com/comments/
https://tech-jobs.credit-agricole.com/__ovhp/common/font/
https://tech-jobs.credit-agricole.com/__ovhp/common/img/
https://tech-jobs.credit-agricole.com/wp-admin/admin-ajax.php
https://tech-jobs.credit-agricole.com/wp-json/oembed/
https://tech-jobs.credit-agricole.com/wp-json/wp/v2/pages/8
https://tech-jobs.credit-agricole.com/wp-json/wp/
https://tech-jobs.credit-agricole.com/wp-content/cache/min/1/wp-
content/plugins/elementor/assets/lib/swiper/v8/css/swiper.min.css
https://tech-jobs.credit-agricole.com/__ovhp/common/
15
Request
Purpose: prefetch
References
Permissions-Policy / Feature-Policy (MDN)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Permissions Policy (W3C)

https://www.w3.org/TR/permissions-policy-1/
PHP Version Disclosure

The web server is sending the X-Powered-By: response headers, revealing the PHP version.
Impact
An attacker might use the disclosed information to harvest specific security vulnerabilities for the version
identified.
Version detected: PHP/8.0.
Recommendation
Configure your web server to prevent information leakage from its HTTP response.
References
16
PHP Documentation: header_remove()
https://www.php.net/manual/en/function.header-remove.php
PHP Documentation: php.ini directive expose_php

https://www.php.net/manual/en/ini.core.php#ini.expose-php
Subresource Integrity (SRI) not implemented

Subresource Integrity (SRI) is a security feature that enables browsers to verify that third-party resources
they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing
developers to provide a cryptographic hash that a fetched file must match.
Third-party resources (such as scripts and stylesheets) can be manipulated. An attacker that has access or
has hacked the hosting CDN can manipulate or replace the files. SRI allows developers to specify a base64-
encoded cryptographic hash of the resource to be loaded. The integrity attribute containing the hash is
then added to the <script> HTML element tag. The integrity string consists of a base64-encoded hash,
followed by a prefix that depends on the hash algorithm. This prefix can either be sha256, sha384 or
sha512.
The script loaded from the external URL specified in the Details section doesn't implement Subresource
Integrity (SRI). It's recommended to implement Subresource Integrity (SRI) for all the scripts loaded from
external hosts.
Impact
An attacker that has access or has hacked the hosting CDN can manipulate or replace the files.
Pages where SRI is not implemented:
Script SRC: https://www.googletagmanager.com/gtag/js?id=UA-264300841-1
Script SRC: https://www.google.com/recaptcha/api.js?render=explicit&ver=3.12.3
Request
17
Purpose: prefetch
Recommendation
Use the SRI Hash Generator link (from the References section) to generate a <script> element that
implements Subresource Integrity (SRI).
For example, you can use the following <script> element to tell a browser that before executing the
https://example.com/example-framework.js script, the browser must first compare the script to the
expected hash, and verify that there's a match.
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
References
Subresource Integrity
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
SRI Hash Generator

https://www.srihash.org/
18
Coverage
https://tech-jobs.credit-agricole.com
#fragments
wp-duotone-blue-orange
wp-duotone-blue-red
wp-duotone-dark-grayscale
wp-duotone-grayscale
wp-duotone-magenta-yellow
wp-duotone-midnight
wp-duotone-purple-green
wp-duotone-purple-yellow
Inputs
GET p
__ovhp
common
css
style.css
font
img
cgu
comments
feed
feed
mentions-legales
questionnaire
#fragments
wp-duotone-blue-red
wp-duotone-midnight
19
Inputs
POST form_fields[field_032e81c], form_fields[field_1b2caac], form_fields[field_1be5f0b],
form_fields[field_2387f56], form_fields[field_633be20], form_fields[field_64ca02e], form_fields[field_6f50663],
form_fields[field_951092e], form_fields[field_9659507], form_fields[field_b0185b2],
form_fields[field_b16a1dd], form_fields[field_cloud][], form_fields[field_d81bc45], form_fields[field_email],
form_fields[field_experience], form_fields[field_fd4f891], form_fields[field_linkedin],
form_fields[field_mainframe], form_fields[field_prenom], form_fields[field_scoop], form_fields[input1],
form_fields[input2], form_fields[input3], form_fields[input4], form_fields[input5], form_fields[name], form_id,
post_id, queried_id, referer_title
POST post_id, form_id, referer_title, queried_id, form_fields[input1], form_fields[input2],

form_fields[input3], form_fields[input4], form_fields[input5], form_fields[field_9659507],
form_fields[field_experience], form_fields[field_951092e], form_fields[field_prenom], form_fields[name],
form_fields[field_b16a1dd], form_fields[field_email], form_fields[field_scoop], form_fields[field_032e81c],
form_fields[field_linkedin], form_fields[field_2387f56], form_fields[field_b0185b2], form_fields[field_64ca02e],
form_fields[field_1b2caac], form_fields[field_6f50663], form_fields[field_1be5f0b], form_fields[field_633be20],
form_fields[field_mainframe], form_fields[field_cloud][], form_fields[field_d81bc45],
form_fields[field_fd4f891]
wp-admin
admin-ajax.php
Inputs
POST post_id, form_id, referer_title, queried_id, form_fields[input1], form_fields[input2],
form_fields[input3], form_fields[input4], form_fields[input5], form_fields[field_64ca02e],
form_fields[field_1b2caac], form_fields[field_6f50663], form_fields[field_1be5f0b],
form_fields[field_633be20], form_fields[field_mainframe], form_fields[field_cloud][],
form_fields[field_d81bc45], form_fields[field_fd4f891], form_fields[field_9659507],
form_fields[field_experience], form_fields[field_951092e], form_fields[field_prenom], form_fields[name],
form_fields[field_b16a1dd], form_fields[field_email], form_fields[field_scoop], form_fields[field_032e81c],
form_fields[field_linkedin], form_fields[field_2387f56], form_fields[field_b0185b2], action, referrer
wp-content
cache
min
1
wp-content
plugins
elementor
assets
lib
eicons
20
css
elementor-icons.min.css
font-awesome
css
solid.min.css
swiper
v8
css
swiper.min.css
uploads
custom-css-js
1623.css
3480.css
useanyfont
uaf.css
plugins
elementor-pro
assets
css
frontend-lite.min.css
js
elements-handlers.min.js
#fragments
wp-duotone-blue-red
wp-duotone-midnight
form.72b77b99d67b130634d2.bundle.min.js
frontend.min.js
21
popup.483b906ddaa1af17ff14.bundle.min.js
webpack-pro.runtime.min.js
lib
smartmenus
jquery.smartmenus.min.js
sticky
jquery.sticky.min.js
modules
lottie
assets
animations
default.json
elementor
assets
css
frontend-lite.min.css
js
frontend-modules.min.js
frontend.min.js
webpack.runtime.min.js
lib
animations
animations.min.css
dialog
dialog.min.js
eicons
css
elementor-icons.min.css
fonts
font-awesome
css
fontawesome.min.css
solid.min.css
22
webfonts
swiper
v8
css
swiper.min.css
waypoints
waypoints.min.js
preloader-plus
assets
css
preloader-plus.min.css
js
preloader-plus.min.js
#fragments
wp-duotone-blue-red
wp-duotone-midnight
smart-slider-3
Public
SmartSlider3
Application
Frontend
Assets
dist
n2.min.js
smartslider-frontend.min.js
Slider
SliderType
23
Simple
Assets
dist
ss-simple.min.js
Widget
Arrow
ArrowImage
Assets
dist
w-arrow-image.min.js
wp-rocket
assets
img
js
lazyload
17.8.3
lazyload.min.js
wpforms-lite
assets
js
integrations
elementor
frontend.min.js
themes
hello-elementor
assets
js
hello-frontend.min.js
#fragments
wp-duotone-blue-red
24
wp-duotone-midnight
style.min.css
theme.min.css
uploads
2023
03
04
Gotham-Book.otf
custom-css-js
1623.css
3480.css
elementor
css
global.css
post-318.css
post-6.css
post-8.css
useanyfont
uaf.css
wp-includes
css
dist
block-library
style.min.css
classic-themes.min.css
js
dist
vendor
regenerator-runtime.min.js
wp-polyfill-inert.min.js
wp-polyfill.min.js
25
#fragments
wp-duotone-blue-red
wp-duotone-midnight
hooks.min.js
i18n.min.js
jquery
ui
core.min.js
#fragments
wp-duotone-blue-red
wp-duotone-midnight
jquery-migrate.min.js
jquery.min.js
underscore.min.js
wp-util.min.js
wlwmanifest.xml
wp-json
oembed
1.0
embed
Inputs
26
GET url, format
wp
v2
pages
21
users
license.txt
robots.txt
xmlrpc.php
27

Comprehensive New Https Tech Jobs Credit Agricole Com

Uploaded by

Copyright:

Available Formats

You might also like

Comprehensive New Https Tech Jobs Credit Agricole Com

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comprehensive New Https Tech Jobs Credit Agricole Com

Uploaded by

Copyright:

Available Formats

Comprehensive Report

Acunetix Threat Level 3

Severity Vulnerabilities Instances

High 1 TLS 1.0 enabled

Medium 1 TLS 1.1 enabled

Low 1 Clickjacking: X-Frame-Options header

Low 1 Documentation files

Low 1 HTTP Strict Transport Security (HSTS) not implemented

Low 1 WordPress admin accessible without HTTP authentication

Low 1 WordPress REST API User Enumeration

Informational 1 Content Security Policy (CSP) not implemented

Informational 1 File uploads

Informational 1 Outdated JavaScript libraries

Informational 1 Permissions-Policy header not implemented

Informational 1 PHP Version Disclosure

Informational 1 Subresource Integrity (SRI) not implemented

https://tech-jobs.credit-agricole.com/ Confidence: 100%

The SSL server (port: 443) encrypts traffic using TLSv1.0.

RFC 8996: Deprecating TLS 1.0 and TLS 1.1

PCI 3.1 and TLS 1.2 (Cloudflare Support)

TLS 1.1 enabled

https://tech-jobs.credit-agricole.com/ Confidence: 100%

The SSL server (port: 443) encrypts traffic using TLSv1.1.

RFC 8996: Deprecating TLS 1.0 and TLS 1.1

Clickjacking: X-Frame-Options header

The X-Frame-Options response header

Frame Buster Buster

WordPress - Web publishing software

Copyright 2011-2023 by the contributors

This program is free s ...

HTTP Strict Transport Security (HSTS) not

WordPress Security Tips Part 5 | Restrict Access to wp-admin Directory

WordPress REST API User Enumeration

Stop User Enumeration

WordPress 4.7.1 Security and Maintenance Release

Content Security Policy (CSP) not implemented

Content Security Policy (CSP)

Implementing Content Security Policy

Form name: Questionnaire Credit Agricole

Outdated JavaScript libraries

https://tech-jobs.credit-agricole.com/ Confidence: 95%

Permissions-Policy header not implemented

Permissions-Policy / Feature-Policy (MDN)

Permissions Policy (W3C)

PHP Version Disclosure

PHP Documentation: php.ini directive expose_php

Subresource Integrity (SRI) not implemented

SRI Hash Generator

POST post_id, form_id, referer_title, queried_id, form_fields[input1], form_fields[input2],

You might also like