OWASP3

08/08/2022 1:58:19 PM (UTC+05:30)
OWASP Top Ten 2013 Report
https://fastlotwin.com/
Scan Time 08/08/2022 1:35:46 PM (UTC+05:30)

Scan Duration 00:00:06:45
Total Requests : 168 Risk Level:
Average Speed : 0.4r/s
HIGH
Explanation
This report is generated based on OWASP Top Ten 2013 classification.
There are 9 more vulnerabilities that are not shown below. Please take a look at the detailed scan report to see them.
7
IDENTIFIED
2
CONFIRMED
0
CRITICAL
3 0
2
HIGH
MEDIUM
1
LOW
1
BEST PRACTICE INFORMATION
Identified Vulnerabilities Confirmed Vulnerabilities

Critical 0 Critical 0
High 2 High 1
Medium 3 Medium 1
Low 0 Low 0
Best Practice 1 Best Practice 0
Information 1 Information 0
TOTAL 7 TOTAL 2
1/27
Vulnerabilities By OWASP 2013
CONFIRM VULNERABILITY METHOD URL SEVERITY
A6 - SENSITIVE DATA EXPOSURE
Session Cookie Not GET https://fastlotwin.com/ HIGH
Marked as Secure
Weak Ciphers Enabled GET https://fastlotwin.com/ MEDIUM
HTTP Strict Transport GET https://fastlotwin.com/ MEDIUM
Security (HSTS) Policy

Not Enabled
Referrer-Policy Not GET https://fastlotwin.com/ BEST
Implemented PRACTICE
A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
Out-of-date Version GET https://fastlotwin.com/assets/Web_assets/js/TweenMax.min.js HIGH
(GSAP)
Out-of-date Version GET https://fastlotwin.com/ MEDIUM
( jQuery)
Out-of-date Version GET https://fastlotwin.com/assets/Web_assets/js/bootstrap.min.js INFORMATIO
(Bootstrap) N
2/27
1. Out-of-date Version (GSAP)
HIGH 1
Netsparker identified the target web site is using GreenSock Animation Platform (GSAP) and detected that it is out of date.
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
GSAP Insufficient Information Vulnerability

This affects the package gsap before 3.6.0.
Affected Versions
1.18.2 to 3.5.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External References
CVE-2020-28478
Vulnerabilities
1.1. https://fastlotwin.com/assets/Web_assets/js/TweenMax.min.js
Identified Version
1.20.2
Latest Version
3.10.4
Vulnerability Database
Result is based on 08/05/2022 20:30:00 vulnerability database content.
Certainty
3/27
Request
GET /assets/Web_assets/js/TweenMax.min.js HTTP/1.1

Host: fastlotwin.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45
Referer: https://fastlotwin.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
79.0.3945.0 Safari/537.36
4/27
Response
Response Time (ms) : 1301.8966 Total Bytes Received : 114721 Body Length : 114220 Is Compressed : No
HTTP/1.1 200 OK
Server: Sucuri/Cloudproxy
X-Content-Type-Options: nosniff
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests;
Content-Length: 114220
X-Sucuri-ID: 13019
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 27 Dec 2019 07:13:20 GMT
Accept-Ranges: bytes
Content-Type: application/javascript
Date: Mon, 08 Aug 2022 08:05:35 GMT
Cache-Control: max-age=315360000
X-Suc
…
odified: Fri, 27 Dec 2019 07:13:20 GMT
Date: Mon, 08 Aug 2022 08:05:35 GMT
X-Sucuri-Cache: MISS
/*!
* VERSION: 1.20.2
* DATE: 2017-06-30
* UPDATES AND DOCS AT: http://greensock.com
*
* Includes all of the following: TweenLite, TweenMax, TimelineLite, TimelineMax, EasePack, CSSPlugi
n, RoundPropsPlugin, BezierPlugin, AttrPlugin, DirectionalRotationPlugin
*
* @license Copyright (c) 2008-2017, GreenSock. All rights reserved.
* This work is subject to the terms at http://greensock.com/standard-license or for
* Club GreenSock members, the software agreement that was issued with your membership.
*
* @author: Jack Doyle
…
Remedy
Please upgrade your installation of GreenSock Animation Platform (GSAP) to the latest stable version.
Remedy References
Downloading GSAP
5/27
CLASSIFICATION
OWASP 2013 A9
6/27
2. Session Cookie Not Marked as Secure
HIGH 1 CONFIRMED 1
Netsparker identified a session cookie not marked as secure, and transmitted over HTTPS.
This means the cookie could potentially be stolen by an attacker who can successfully intercept the traffic, following a successful
man-in-the-middle attack.
It is important to note that Netsparker inferred from the its name that the cookie in question is session related.
Impact
This cookie will be transmitted over a HTTP connection, therefore an attacker might intercept it and hijack a victim's session. If the
attacker can carry out a man-in-the-middle attack, he/she can force the victim to make an HTTP request to your website in
order to steal the cookie.
Vulnerabilities
2.1. https://fastlotwin.com/
CONFIRMED
Identified Cookie(s)
ci_session
Cookie Source
HTTP Header
Request
GET / HTTP/1.1
79.0.3945.0 Safari/537.36
7/27
Response
HTTP/1.1 200 OK
Set-Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45; expires=Mon, 08-Aug-2022 10:03:14 G
MT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Sucuri-ID: 13019
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 08 Aug 2022 08:03:15 GMT
Cache-Control: no-store, no-cache, must-revalidate
X-SucHTTP/1.1 200 OK
Content-Security-Policy: upgrade-insecure-
…
Actions to Take
1. See the remedy for solution.

2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any
personal information, you do not have to mark it as secure.)
Remedy
Mark all cookies used within the application as secure.
Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or to
the victim's network. Attackers need to understand layer 2 and have gained access to a system between the victim and the web
server.
External References
.NET Cookie.Secure Property

How to Create Totally Secure Cookies
Netsparker - Security Cookies - Secure Flag
8/27
CLASSIFICATION
OWASP 2013 A6
CVSS 3.0 SCORE
Base 5.3 (Medium)
Temporal 5.3 (Medium)
Environmental 5.3 (Medium)
CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3.1 SCORE
Base 5.3 (Medium)
CVSS Vector String
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
9/27
3. HTTP Strict Transport Security (HSTS)
Policy Not Enabled
MEDIUM 1
Identified that HTTP Strict Transport Security (HSTS) policy is not enabled.
The target website is being served from not only HTTPS but also HTTP and it lacks of HSTS policy implementation.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user
agents (such as a web browser) are to interact with it using only secure (HTTPS) connections. The HSTS Policy is communicated by
the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of
time during which the user agent shall access the server in only secure fashion.
When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:
Automatically turn any insecure (HTTP) links referencing the web application into secure (HTTPS) links. (For instance,
http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), user agents show an
error message and do not allow the user to access the web application.
Vulnerabilities
Certainty
Request
GET / HTTP/1.1
79.0.3945.0 Safari/537.36
10/27
Response
HTTP/1.1 200 OK
Set-Cookie: ci_session=f8627ee7dd96d3fed5aa7bcaac3b596b16274833; expires=Mon, 08-Aug-2022 10:03:49 G
X-Sucuri-ID: 13019
Pragma: no-cache
Date: Mon, 08 Aug 2022 08:03:50 GMT
<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<meta http-equiv="X-UA-Compatible" content="ie=edge">
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<link rel="shortcut icon" type="image/png" href="https://www.fastlotwin.com/assets/Web_assets/favico
n.ico"/>
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/bootstrap.min.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/fontawesome.min.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/flaticon.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/animate.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/slick.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/style.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/responsive.css">
<script src="https://www.fastlotwin.com/assets/Web_assets/js/jquery-3.3.1.min.js"></script>

<title>FastLotWin</title>
</head>
<body>

<div id="preloader">
<div class="p
…
Remedy
11/27
Configure your webserver to redirect HTTP requests to HTTPS.
i.e. for Apache, you should have modification in the httpd.conf. For more configurations, please refer to External References
section.
# load module
LoadModule headers_module modules/mod_headers.so
# redirect all HTTP to HTTPS (optional)

<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
# HTTPS-Host-Configuration
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Further Configuration goes here

[...]
</VirtualHost>
External References
Wikipedia - HTTP Strict Transport Security

Configure HSTS (HTTP Strict Transport Security) for Apache/Nginx
HTTP Strict Transport Security (HSTS) HTTP Header
Mozilla SSL Configuration Generator
CLASSIFICATION
OWASP 2013 A6
CVSS 3.0 SCORE
Base 7.7 (High)
Temporal 7.7 (High)
Environmental 7.7 (High)
CVSS Vector String
12/27
CVSS Vector String
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS 3.1 SCORE
Base 7.7 (High)
Temporal 7.7 (High)
Environmental 7.7 (High)
CVSS Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
13/27
4. Weak Ciphers Enabled
MEDIUM 1 CONFIRMED 1
detected that weak ciphers are enabled during secure communication (SSL).
You should allow only strong ciphers on your web server to protect secure communication with your visitors.
Impact
Attackers might decrypt SSL traffic between your server and your visitors.
Vulnerabilities
CONFIRMED
List of Supported Weak Ciphers

TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xC077)
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xC076)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
Request
[SSL Connection]
Response
Response Time (ms) : 1 Total Bytes Received : 16 Body Length : 0 Is Compressed : No
[SSL Connection]
Actions to Take
1. For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
2. Lighttpd:
14/27
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM"
3. For Microsoft IIS, you should make some changes to the system registry. Incorrectly editing the registry may severely
damage your system. Before making changes to the registry, you should back up any valued data on your
computer.
a.Click Start, click Run, type regedt32or type regedit, and then click OK.
b.In Registry Editor, locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
c.Set "Enabled" DWORD to "0x0" for the following registry keys:
SCHANNEL\Ciphers\DES 56/56
SCHANNEL\Ciphers\RC4 64/128
SCHANNEL\Ciphers\NULL
SCHANNEL\Hashes\MD5
Remedy
Configure your web server to disallow using weak ciphers.
External References
OWASP - Insecure Configuration Management
OWASP Top 10-2017 A3-Sensitive Data Exposure
Zombie Poodle - Golden Doodle (CBC)
Mozilla SSL Configuration Generator
Strong Ciphers for Apache, Nginx and Lighttpd
CLASSIFICATION
OWASP 2013 A6
CVSS 3.0 SCORE
Base 6.8 (Medium)
CVSS Vector String
15/27
CVSS Vector String
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 3.1 SCORE
Base 6.8 (Medium)
CVSS Vector String
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
16/27
5. Out-of-date Version (jQuery)
MEDIUM 1
identified the target web site is using jQuery and detected that it is out of date.
Impact
jQuery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to
one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is
patched in jQuery 3.5.0.
Affected Versions
1.9.0 to 3.4.1
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
External References
CVE-2020-11022
jQuery Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from
untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and
others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Affected Versions
1.9.0 to 3.4.1
CVSS
External References
CVE-2020-11023
JQuery Prototype Pollution Vulnerability

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native
Object.prototype.
Affected Versions
1.0 to 3.3.1
CVSS
External References
CVE-2019-11358
17/27
Vulnerabilities
Identified Version
3.3.1
Latest Version
3.6.0
Certainty
Request
GET / HTTP/1.1
79.0.3945.0 Safari/537.36
18/27
Response
HTTP/1.1 200 OK
X-Sucuri-ID: 13019
Pragma: no-cache
Date: Mon, 08 Aug 2022 08:03:15 GMT
X-Suc
…
com/assets/Web_assets/css/style.css">
>-->
</head>
<body>
<div i
…
Remedy
Please upgrade your installation of jQuery to the latest stable version.
Remedy References
Downloading jQuery
CLASSIFICATION
OWASP 2013 A9
19/27
20/27
6. Referrer-Policy Not Implemented
BEST PRACTICE 1
Netsparker detected that no Referrer-Policy header implemented.
Referrer-Policy is a security header designed to prevent cross-domain Referer leakage.
Impact
Referer header is a request header that indicates the site which the traffic originated from. If there is no adequate prevention in
place, the URL itself, and even sensitive information contained in the URL will be leaked to the cross-site.
The lack of Referrer-Policy header might affect privacy of the users and site's itself
Vulnerabilities
Certainty
Request
GET / HTTP/1.1
79.0.3945.0 Safari/537.36
21/27
Response
HTTP/1.1 200 OK
X-Sucuri-ID: 13019
Pragma: no-cache
Date: Mon, 08 Aug 2022 08:03:15 GMT
<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<meta http-equiv="X-UA-Compatible" content="ie=edge">
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<link rel="shortcut icon" type="image/png" href="https://www.fastlotwin.com/assets/Web_assets/favico
n.ico"/>
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/bootstrap.min.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/fontawesome.min.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/flaticon.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/animate.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/slick.css">
<link rel="stylesheet" href="https://www.fastlotwin.com/assets/Web_assets/css/style.css">
>-->
</head>
<body>
<div id="preloader">
<div class="p
…
Actions to Take
22/27
In a response header:
Referrer-Policy: no-referrer | same-origin | origin | strict-origin | no-origin-when-downgrading
In a META tag
<meta name="Referrer-Policy" value="no-referrer | same-origin"/>
In an element attribute
<a href="http://crosssite.example.com" rel="noreferrer"></a>
or
<a href="http://crosssite.example.com" referrerpolicy="no-referrer | same-origin | origin | strict-

origin | no-origin-when-downgrading"></a>
Remedy
Please implement a Referrer-Policy by using the Referrer-Policy response header or by declaring it in the meta tags. It’s also
possible to control referrer information over an HTML-element by using the rel attribute.
External References
Referrer Policy
Referrer Policy - MDN
Referrer Policy HTTP Header
A New Security Header: Referrer Policy
Can I Use Referrer-Policy
CLASSIFICATION
OWASP 2013 A6
23/27
7. Out-of-date Version (Bootstrap)
INFORMATION 1
Netsparker identified that the target web site is using Bootstrap and detected that it is out of date.
Impact
Vulnerabilities
7.1. https://fastlotwin.com/assets/Web_assets/js/bootstrap.min.js
Identified Version
4.2.1
Latest Version
4.6.2 (in this branch)
Overall Latest Version

5.2.0
Certainty
Request
GET /assets/Web_assets/js/bootstrap.min.js HTTP/1.1

Cookie: ci_session=c1c28dfe401d459cd82db6c03220d903a4e08e45
Referer: https://fastlotwin.com/
79.0.3945.0 Safari/537.36
24/27
Response
HTTP/1.1 200 OK
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Content-Length: 55775
X-Sucuri-ID: 13019
Last-Modified: Fri, 27 Dec 2019 06:35:50 GMT
Date: Mon, 08 Aug 2022 08:03:51 GMT
X-Suc
…
dified: Fri, 27 Dec 2019 06:35:50 GMT
Date: Mon, 08 Aug 2022 08:03:51 GMT
/*!
* Bootstrap v4.2.1(https://getbootstrap.com/)
* Copyright 2011-2018 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master
…
Remedy
Please upgrade your installation of Bootstrap to the latest stable version.
Remedy References
Downloading Bootstrap
CLASSIFICATION
OWASP 2013 A9
25/27
Show Scan Detail
Enabled Security Checks : BREACH Attack,

Code Evaluation,
Code Evaluation (Out of Band),
Command Injection,
Command Injection (Blind),
Content Security Policy,
Content-Type Sniffing,
Cookie,
Cross Frame Options Security,
Cross-Origin Resource Sharing (CORS),
Cross-Site Request Forgery,
Cross-site Scripting,
Cross-site Scripting (Blind),
Custom Script Checks (Active),
Custom Script Checks (Passive),
Custom Script Checks (Per Directory),
Custom Script Checks (Singular),
Expect Certificate Transparency (Expect-CT),
File Upload,
Header Analyzer,
Heartbleed,
HSTS,
HTML Content,
HTTP Header Injection,
HTTP Methods,
HTTP Status,
HTTP.sys (CVE-2015-1635),
IFrame Security,
Insecure JSONP Endpoint,
Insecure Reflected Content,
JavaScript Libraries,
JSON Web Token,
Local File Inclusion,
Log4j Code Evaluation (Out of Band),
Login Page Identifier,
Mixed Content,
Open Redirection,
Referrer Policy,
Reflected File Download,
Remote File Inclusion,
Reverse Proxy Detection,
Server-Side Request Forgery (DNS),
Server-Side Request Forgery (Pattern Based),
Server-Side Template Injection,
Signatures,
Software Composition Analysis (SCA),
SQL Injection (Blind),
SQL Injection (Boolean),
SQL Injection (Error Based),
SQL Injection (Out of Band),
SSL,
26/27
Static Resources (All Paths),
Unicode Transformation (Best-Fit Mapping),
WAF Identifier,
Web App Fingerprint,
Web Cache Deception,
WebDAV,
Windows Short Filename,
XML External Entity,
XML External Entity (Out of Band)
URL Rewrite Mode : Heuristic
Detected URL Rewrite Rule(s) : None
Excluded URL Patterns : gtm\.js

WebResource\.axd
ScriptResource\.axd
Authentication : None
Authentication Profile : None
Scheduled : No
Additional Website(s) : https://www.fastlotwin.com/
This report created with 6.3.3.34686-master-1d431c8
https://digitconsultants.co.in/
27/27

OWASP3

Uploaded by

Copyright:

Available Formats

You might also like

OWASP3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OWASP3

Uploaded by

Copyright:

Available Formats

08/08/2022 1:58:19 PM (UTC+05:30)

OWASP Top Ten 2013 Report

Scan Time 08/08/2022 1:35:46 PM (UTC+05:30)

Identified Vulnerabilities Confirmed Vulnerabilities

A6 - SENSITIVE DATA EXPOSURE

Session Cookie Not GET https://fastlotwin.com/ HIGH

Weak Ciphers Enabled GET https://fastlotwin.com/ MEDIUM

HTTP Strict Transport GET https://fastlotwin.com/ MEDIUM

Security (HSTS) Policy

Referrer-Policy Not GET https://fastlotwin.com/ BEST

A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

Out-of-date Version GET https://fastlotwin.com/assets/Web_assets/js/TweenMax.min.js HIGH

Out-of-date Version GET https://fastlotwin.com/ MEDIUM

Out-of-date Version GET https://fastlotwin.com/assets/Web_assets/js/bootstrap.min.js INFORMATIO

GSAP Insufficient Information Vulnerability

GET /assets/Web_assets/js/TweenMax.min.js HTTP/1.1

1. See the remedy for solution.

Required Skills for Successful Exploitation

.NET Cookie.Secure Property

CVSS 3.0 SCORE

Base 5.3 (Medium)

Temporal 5.3 (Medium)

Environmental 5.3 (Medium)

CVSS Vector String

CVSS 3.1 SCORE

Base 5.3 (Medium)

Temporal 5.3 (Medium)

Environmental 5.3 (Medium)

CVSS Vector String

<meta name="viewport" content="width=device-width, initial-scale=1.0">

# redirect all HTTP to HTTPS (optional)

# Further Configuration goes here

Wikipedia - HTTP Strict Transport Security

CVSS 3.0 SCORE

Base 7.7 (High)

Temporal 7.7 (High)

Environmental 7.7 (High)

CVSS Vector String

CVSS 3.1 SCORE

Base 7.7 (High)

Temporal 7.7 (High)

Environmental 7.7 (High)

CVSS Vector String

List of Supported Weak Ciphers

Response Time (ms) : 1 Total Bytes Received : 16 Body Length : 0 Is Compressed : No

Configure your web server to disallow using weak ciphers.

CVSS 3.0 SCORE

Base 6.8 (Medium)

Temporal 6.8 (Medium)

Environmental 6.8 (Medium)

CVSS Vector String

CVSS 3.1 SCORE

Base 6.8 (Medium)

Temporal 6.8 (Medium)

Environmental 6.8 (Medium)

CVSS Vector String

JQuery Prototype Pollution Vulnerability

Netsparker detected that no Referrer-Policy header implemented.

Referrer-Policy is a security header designed to prevent cross-domain Referer leakage.