Professional Documents
Culture Documents
OWASP3
OWASP3
OWASP3
https://fastlotwin.com/
7
IDENTIFIED
2
CONFIRMED
0
CRITICAL
3 0
2
HIGH
MEDIUM
1
LOW
1
BEST PRACTICE INFORMATION
1/27
Vulnerabilities By OWASP 2013
CONFIRM VULNERABILITY METHOD URL SEVERITY
Marked as Secure
Implemented PRACTICE
(GSAP)
( jQuery)
(Bootstrap) N
2/27
1. Out-of-date Version (GSAP)
HIGH 1
Netsparker identified the target web site is using GreenSock Animation Platform (GSAP) and detected that it is out of date.
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
Affected Versions
1.18.2 to 3.5.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External References
CVE-2020-28478
Vulnerabilities
1.1. https://fastlotwin.com/assets/Web_assets/js/TweenMax.min.js
Identified Version
1.20.2
Latest Version
3.10.4
Vulnerability Database
Result is based on 08/05/2022 20:30:00 vulnerability database content.
Certainty
3/27
Request
4/27
Response
Response Time (ms) : 1301.8966 Total Bytes Received : 114721 Body Length : 114220 Is Compressed : No
HTTP/1.1 200 OK
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
Content-Length: 114220
X-Sucuri-ID: 13019
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 27 Dec 2019 07:13:20 GMT
Accept-Ranges: bytes
Content-Type: application/javascript
Date: Mon, 08 Aug 2022 08:05:35 GMT
Cache-Control: max-age=315360000
X-Suc
…
odified: Fri, 27 Dec 2019 07:13:20 GMT
Accept-Ranges: bytes
Content-Type: application/javascript
Date: Mon, 08 Aug 2022 08:05:35 GMT
Cache-Control: max-age=315360000
X-Sucuri-Cache: MISS
/*!
* VERSION: 1.20.2
* DATE: 2017-06-30
* UPDATES AND DOCS AT: http://greensock.com
*
* Includes all of the following: TweenLite, TweenMax, TimelineLite, TimelineMax, EasePack, CSSPlugi
n, RoundPropsPlugin, BezierPlugin, AttrPlugin, DirectionalRotationPlugin
*
* @license Copyright (c) 2008-2017, GreenSock. All rights reserved.
* This work is subject to the terms at http://greensock.com/standard-license or for
* Club GreenSock members, the software agreement that was issued with your membership.
*
* @author: Jack Doyle
…
Remedy
Please upgrade your installation of GreenSock Animation Platform (GSAP) to the latest stable version.
Remedy References
Downloading GSAP
5/27
CLASSIFICATION
OWASP 2013 A9
6/27
2. Session Cookie Not Marked as Secure
HIGH 1 CONFIRMED 1
Netsparker identified a session cookie not marked as secure, and transmitted over HTTPS.
This means the cookie could potentially be stolen by an attacker who can successfully intercept the traffic, following a successful
man-in-the-middle attack.
It is important to note that Netsparker inferred from the its name that the cookie in question is session related.
Impact
This cookie will be transmitted over a HTTP connection, therefore an attacker might intercept it and hijack a victim's session. If the
attacker can carry out a man-in-the-middle attack, he/she can force the victim to make an HTTP request to your website in
order to steal the cookie.
Vulnerabilities
2.1. https://fastlotwin.com/
CONFIRMED
Identified Cookie(s)
ci_session
Cookie Source
HTTP Header
Request
GET / HTTP/1.1
Host: fastlotwin.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
79.0.3945.0 Safari/537.36
7/27
Response
Response Time (ms) : 2325.0282 Total Bytes Received : 43607 Body Length : 42996 Is Compressed : No
HTTP/1.1 200 OK
Set-Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45; expires=Mon, 08-Aug-2022 10:03:14 G
MT; Max-Age=7200; path=/; HttpOnly
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 13019
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 08 Aug 2022 08:03:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
X-SucHTTP/1.1 200 OK
Set-Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45; expires=Mon, 08-Aug-2022 10:03:14 G
MT; Max-Age=7200; path=/; HttpOnly
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-
…
Actions to Take
Remedy
Mark all cookies used within the application as secure.
8/27
CLASSIFICATION
OWASP 2013 A6
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
9/27
3. HTTP Strict Transport Security (HSTS)
Policy Not Enabled
MEDIUM 1
Identified that HTTP Strict Transport Security (HSTS) policy is not enabled.
The target website is being served from not only HTTPS but also HTTP and it lacks of HSTS policy implementation.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user
agents (such as a web browser) are to interact with it using only secure (HTTPS) connections. The HSTS Policy is communicated by
the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of
time during which the user agent shall access the server in only secure fashion.
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:
Automatically turn any insecure (HTTP) links referencing the web application into secure (HTTPS) links. (For instance,
http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), user agents show an
error message and do not allow the user to access the web application.
Vulnerabilities
3.1. https://fastlotwin.com/
Certainty
Request
GET / HTTP/1.1
Host: fastlotwin.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
79.0.3945.0 Safari/537.36
10/27
Response
Response Time (ms) : 1757.8311 Total Bytes Received : 43607 Body Length : 42996 Is Compressed : No
HTTP/1.1 200 OK
Set-Cookie: ci_session=f8627ee7dd96d3fed5aa7bcaac3b596b16274833; expires=Mon, 08-Aug-2022 10:03:49 G
MT; Max-Age=7200; path=/; HttpOnly
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 13019
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 08 Aug 2022 08:03:50 GMT
Cache-Control: no-store, no-cache, must-revalidate
X-Sucuri-Cache: MISS
<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>FastLotWin</title>
</head>
<body>
<!-- preloader start -->
<div id="preloader">
<div class="p
…
Remedy
11/27
Configure your webserver to redirect HTTP requests to HTTPS.
i.e. for Apache, you should have modification in the httpd.conf. For more configurations, please refer to External References
section.
# load module
LoadModule headers_module modules/mod_headers.so
# HTTPS-Host-Configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
External References
CLASSIFICATION
OWASP 2013 A6
12/27
CVSS Vector String
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
13/27
4. Weak Ciphers Enabled
MEDIUM 1 CONFIRMED 1
detected that weak ciphers are enabled during secure communication (SSL).
You should allow only strong ciphers on your web server to protect secure communication with your visitors.
Impact
Attackers might decrypt SSL traffic between your server and your visitors.
Vulnerabilities
4.1. https://fastlotwin.com/
CONFIRMED
Request
[SSL Connection]
Response
[SSL Connection]
Actions to Take
1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
2. Lighttpd:
14/27
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM"
3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely
damage your system. Before making changes to the registry, you should back up any valued data on your
computer.
a.Click Start, click Run, type regedt32or type regedit, and then click OK.
b.In Registry Editor, locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
c.Set "Enabled" DWORD to "0x0" for the following registry keys:
SCHANNEL\Ciphers\DES 56/56
SCHANNEL\Ciphers\RC4 64/128
SCHANNEL\Ciphers\RC4 40/128
SCHANNEL\Ciphers\RC2 56/128
SCHANNEL\Ciphers\RC2 40/128
SCHANNEL\Ciphers\NULL
SCHANNEL\Hashes\MD5
Remedy
External References
OWASP - Insecure Configuration Management
OWASP Top 10-2017 A3-Sensitive Data Exposure
Zombie Poodle - Golden Doodle (CBC)
Mozilla SSL Configuration Generator
Strong Ciphers for Apache, Nginx and Lighttpd
CLASSIFICATION
OWASP 2013 A6
15/27
CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
16/27
5. Out-of-date Version (jQuery)
MEDIUM 1
identified the target web site is using jQuery and detected that it is out of date.
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
jQuery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to
one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is
patched in jQuery 3.5.0.
Affected Versions
1.9.0 to 3.4.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
External References
CVE-2020-11022
jQuery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from
untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and
others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Affected Versions
1.9.0 to 3.4.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
External References
CVE-2020-11023
Affected Versions
1.0 to 3.3.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
External References
CVE-2019-11358
17/27
Vulnerabilities
5.1. https://fastlotwin.com/
Identified Version
3.3.1
Latest Version
3.6.0
Vulnerability Database
Result is based on 08/05/2022 20:30:00 vulnerability database content.
Certainty
Request
GET / HTTP/1.1
Host: fastlotwin.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
79.0.3945.0 Safari/537.36
18/27
Response
Response Time (ms) : 2325.0282 Total Bytes Received : 43607 Body Length : 42996 Is Compressed : No
HTTP/1.1 200 OK
Set-Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45; expires=Mon, 08-Aug-2022 10:03:14 G
MT; Max-Age=7200; path=/; HttpOnly
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 13019
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 08 Aug 2022 08:03:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
X-Suc
…
com/assets/Web_assets/css/style.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/responsive.css">
<script src="https://www.fastlotwin.com/assets/Web_assets/js/jquery-3.3.1.min.js"></script>
<!-- <script src="https://www.fastlotwin.com/assets/Web_assets/js/jquery.countdown.js"></script
>-->
<title>FastLotWin</title>
</head>
<body>
<!-- preloader start -->
<div i
…
Remedy
Please upgrade your installation of jQuery to the latest stable version.
Remedy References
Downloading jQuery
CLASSIFICATION
OWASP 2013 A9
19/27
20/27
6. Referrer-Policy Not Implemented
BEST PRACTICE 1
Impact
Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in
place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.
The lack of Referrer-Policy header might affect privacy of the users and site's itself
Vulnerabilities
6.1. https://fastlotwin.com/
Certainty
Request
GET / HTTP/1.1
Host: fastlotwin.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
79.0.3945.0 Safari/537.36
21/27
Response
Response Time (ms) : 2325.0282 Total Bytes Received : 43607 Body Length : 42996 Is Compressed : No
HTTP/1.1 200 OK
Set-Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45; expires=Mon, 08-Aug-2022 10:03:14 G
MT; Max-Age=7200; path=/; HttpOnly
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 13019
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 08 Aug 2022 08:03:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
X-Sucuri-Cache: MISS
<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>FastLotWin</title>
</head>
<body>
<!-- preloader start -->
<div id="preloader">
<div class="p
…
Actions to Take
22/27
In a response header:
In a META tag
In an element attribute
or
Remedy
Please implement a Referrer-Policy by using the Referrer-Policy response header or by declaring it in the meta tags. It’s also
possible to control referrer information over an HTML-element by using the rel attribute.
External References
Referrer Policy
Referrer Policy - MDN
Referrer Policy HTTP Header
A New Security Header: Referrer Policy
Can I Use Referrer-Policy
CLASSIFICATION
OWASP 2013 A6
23/27
7. Out-of-date Version (Bootstrap)
INFORMATION 1
Netsparker identified that the target web site is using Bootstrap and detected that it is out of date.
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
Vulnerabilities
7.1. https://fastlotwin.com/assets/Web_assets/js/bootstrap.min.js
Identified Version
4.2.1
Latest Version
4.6.2 (in this branch)
Vulnerability Database
Result is based on 08/05/2022 20:30:00 vulnerability database content.
Certainty
Request
24/27
Response
Response Time (ms) : 1685.3784 Total Bytes Received : 56275 Body Length : 55775 Is Compressed : No
HTTP/1.1 200 OK
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
Content-Length: 55775
X-Sucuri-ID: 13019
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 27 Dec 2019 06:35:50 GMT
Accept-Ranges: bytes
Content-Type: application/javascript
Date: Mon, 08 Aug 2022 08:03:51 GMT
Cache-Control: max-age=315360000
X-Suc
…
dified: Fri, 27 Dec 2019 06:35:50 GMT
Accept-Ranges: bytes
Content-Type: application/javascript
Date: Mon, 08 Aug 2022 08:03:51 GMT
Cache-Control: max-age=315360000
X-Sucuri-Cache: MISS
/*!
* Bootstrap v4.2.1(https://getbootstrap.com/)
* Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master
…
Remedy
Please upgrade your installation of Bootstrap to the latest stable version.
Remedy References
Downloading Bootstrap
CLASSIFICATION
OWASP 2013 A9
25/27
Show Scan Detail
26/27
Static Resources (All Paths),
Unicode Transformation (Best-Fit Mapping),
WAF Identifier,
Web App Fingerprint,
Web Cache Deception,
WebDAV,
Windows Short Filename,
XML External Entity,
XML External Entity (Out of Band)
Authentication : None
Scheduled : No
https://digitconsultants.co.in/
27/27