Developer Report: Acunetix Website Audit 19 November, 2018
Developer Report: Acunetix Website Audit 19 November, 2018
Developer Report: Acunetix Website Audit 19 November, 2018
19 November, 2018
Developer Report
Scan information
Start time 18/11/2018 13:47:46
Finish time 18/11/2018 23:00:05
Scan time 9 hours, 12 minutes
Profile Default
Server information
Responsive True
Server banner nginx/1.12.2
Server OS Unknown
Server technologies PHP
Threat level
Acunetix Threat Level 2
One or more medium-severity type vulnerabilities have been discovered by the scanner.
You should investigate each of these vulnerabilities to ensure they will not escalate to
more severe problems.
Alerts distribution
Knowledge base
Possible registration page
A page where is possible to register a new user account was found at /register.
List of file extensions
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:
- /assets/libs/bootstrap/dist/js/bootstrap.min.js
- /assets/libs/jquery/dist/jquery.min.js
- /assets/libs/popper.js/dist/umd/popper.min.js
- /assets/libs/pace-progress/pace.min.js
- /assets/libs/pjax/pjax.js
- /assets/html/scripts/lazyload.config.js
- /assets/html/scripts/lazyload.js
Acunetix Website Audit 2
- /assets/html/scripts/plugin.js
- /assets/html/scripts/nav.js
- /assets/html/scripts/scrollto.js
- /assets/html/scripts/toggleclass.js
- /assets/html/scripts/theme.js
- /assets/html/scripts/ajax.js
- /assets/html/scripts/app.js
- /js/app.js
List of files with inputs
These files have at least one input (GET or POST).
- / - 3 inputs
- /login - 1 inputs
- /rtl.html - 1 inputs
- /dashboard.html - 1 inputs
- /assets/libs/font-awesome/fonts/fontawesome-webfont.woff2 - 1 inputs
- /dashboard.7.html - 1 inputs
- /dashboard.6.html - 1 inputs
- /dashboard.5.html - 1 inputs
- /dashboard.8.html - 1 inputs
- /register - 1 inputs
- /password/email - 1 inputs
- /dashboard.4.html - 1 inputs
- /dashboard.1.html - 1 inputs
- /dashboard.2.html - 1 inputs
- /dashboard.3.html - 1 inputs
- /fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2 - 1 inputs
List of external hosts
These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts
allowed. (Configuration-> Scan Settings ->Scanning Options-> List of hosts allowed).
- themeforest.net
- simkes.pushidrosal.id
- fonts.googleapis.com
- duckduckgo.com
- google.com
- stackoverflow.com
List of email addresses
List of all email addresses found on this host.
- sample@email.tst
Alerts summary
Severity Medium
Type Validation
Reported by module Scripting (htaccess_File_Readable.script)
Description
This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files are
designed to be parsed by web server and should not be directly accessible. These files could contain sensitive
information that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.
Impact
Possible sensitive information disclosure.
Recommendation
Restrict access to the .htaccess file by adjusting the web server configuration.
Affected items
/
Details
No details are available.
Request headers
GET /.htaccess HTTP/1.1
(line truncated)
...kZoTFk4NkxrVU40VGRncTE5bVdSVnJUNkY1RmdPcXdrcXBQXC90M2hBc0xKM0MwSjNTWmR5XC9SeWc9PSIsIm
1hYyI6IjZiNmJhM2UyNDRkNmIzNzc5MTYwOGJkMGRjMmUzYjhmNTk0OWI4NmQyNGRhZGI1ZjZlZjhkMGEyZWNlYz
UxYjEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IklXSlhaNFJtUjdLMkhGeUFyWHNPVUE9PSIsInZhbHVlIjoiS
mc1ZGVMdjRGMHdPNkFJSkdkWUJRZTB1M1pYUTk0WUdWc3RwVUMzdUo4anBSMFlqVytoYVQwSDBZNnJVeFc3bVFpc
nIrTG8wWVJ4aVRvK21lRFFNdnc9PSIsIm1hYyI6IjRmMThlYzEwMmVjZmZiYmQ1OTAxMTk2ZTBlOTQ4NWJmNzVhM
mFjMDM1YTQ2YzJlNDU0ZDJiOGI0ZTcyNDJlMzIifQ%3D%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Medium
Type Configuration
Reported by module Crawler
Description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an
encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an
encrypted connection (HTTPS).
Affected items
/login
Details
Form name: <empty>
Form action: http://simkes.pushidrosal.id/login
Form method: POST
Form inputs:
- _token [Hidden]
- email [Text]
- password [Password]
Request headers
GET /login HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...QVmhUaGJYT0VrQ1lubyt2cWNzZysweGU5MzZ4TmpJczZDRFdQdVJmN2FYS0crUzJCdlk3RTRYcDNuN2c9PSIs
Im1hYyI6IjVjYTA3YzdkOGM4ZmVlOWNhMTAyMTc5MjAwNWQ4MTg1ZWMzYjVkYThkMTAyMTc4MmJlODZmNjFjYzU0
YjRkZjQifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IkRvZmpuenlwTUt6cEtlalZsYXFpVVE9PSIsInZhbHVlIjoid
W5aUlJVS05HckRUN2lBUVIyalVDc3BzczNPcWc3VmZYQUtYd0d5ZEdHUHBCRVdJK2RNZTNWSVlRMldQc2Vwc0kwT
VwvNDRxUE1QampCZ2Rod1RrQk1nPT0iLCJtYWMiOiI2ZGI4ZDg2NzAxZDAxNTBjY2VhNTIyZWVjMzEyN2U3YzYwO
GVlMjE4MDhlN2JlNjg0OTEzM2VkZDVkZmQxYWY0In0%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register
Form inputs:
- _token [Hidden]
- name [Text]
- email [Text]
- password [Password]
- password_confirmation [Password]
Request headers
GET /register HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Low
Type Configuration
Reported by module Scripting (Clickjacking_X_Frame_Options.script)
Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web
user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing
confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking
attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be
allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their
content is not embedded into other sites.
Impact
The impact depends on the affected web application.
Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about
the possible values for this header.
References
Clickjacking Protection for Java EE
Frame Buster Buster
Defending with Content Security Policy frame-ancestors directive
OWASP Clickjacking
Clickjacking
The X-Frame-Options response header
Affected items
Web Server
Details
No details are available.
Request headers
GET / HTTP/1.1
(line truncated)
...GQ2NVJNQ09VeHZoNnU0UkN2VkU1SDgzRktZRXppUjhvelwvcGk2dUdHZ3ZOYlh2c1hReVZqNTJlTWc9PSIsIm
1hYyI6IjI5ZWJlMTczNDEwMjM3MWNmYjgyZWJjZjAyMmE5ZmM0NDAwNmQxZDgwNjRlYjVlMmYxZGU1ZjNmMWEwMz
U2YmEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6Ikx5QXdWOHo2eDdYQnBhMFB6MHdUSFE9PSIsInZhbHVlIjoiZ
XJId0dBQnE2UUJjY21sTlNhMk9xeGcxZXFPUmZVNTZQaU5ZWUNnRUVod3hOY1U0dTBVQXZ5T05Tc2NIQ2ZodGNZa
EluVGdKZGFwZFNoT0xWVmF2anc9PSIsIm1hYyI6IjM1NjczYzkxMGM5NDZmZmU3NzczNWQ2NWRkZjMzMjRkYmE1M
Tg3MTg2ZjIyMDFhN2FkNTJiMDVjYmY2ZmRjMDAifQ%3D%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Low
Type Informational
Reported by module Crawler
Description
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection
for session cookies.
Impact
None
Recommendation
If possible, you should set the HTTPOnly flag for this cookie.
Affected items
/
Details
Cookie name: "inventory_pushidros_al_session"
Cookie domain: "simkes.pushidrosal.id"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/
Details
Cookie name: "XSRF-TOKEN"
Cookie domain: "simkes.pushidrosal.id"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Low
Type Validation
Reported by module Scripting (Html_Authentication_Audit.script)
Description
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack
is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and
symbols until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended
to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web
references for more information about fixing this problem.
Impact
An attacker may attempt to discover a weak password by systematically trying every possible combination of letters,
numbers, and symbols until it discovers the one correct combination that works.
Recommendation
It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
References
Blocking Brute Force Attacks
Affected items
/login
Details
The scanner tested 10 invalid credentials and no account lockout was detected.
Request headers
POST /login HTTP/1.1
Content-Length: 104
Content-Type: application/x-www-form-urlencoded
Referer: http://simkes.pushidrosal.id:80/
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
email=WfgDocSF%40simkes.pushidrosal.id&password=1ibclCGo&_token=Chw3ZY5nVZWgEHTDGHRfWva4
tKj8tcdIyhLlL0R3
Severity Low
Type Validation
Reported by module Scripting (Possible_Sensitive_Files.script)
Description
A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common
sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Each
one of these files could help an attacker to learn more about his target.
Impact
This file may expose sensitive information that could help a malicious user to prepare more advanced attacks.
Recommendation
Restrict access to this file or remove it from the website.
References
Web Server Security and Database Server Security
Affected items
/.htaccess
Details
No details are available.
Request headers
GET /.htaccess HTTP/1.1
Accept: acunetix/wvs
(line truncated)
...kZoTFk4NkxrVU40VGRncTE5bVdSVnJUNkY1RmdPcXdrcXBQXC90M2hBc0xKM0MwSjNTWmR5XC9SeWc9PSIsIm
1hYyI6IjZiNmJhM2UyNDRkNmIzNzc5MTYwOGJkMGRjMmUzYjhmNTk0OWI4NmQyNGRhZGI1ZjZlZjhkMGEyZWNlYz
UxYjEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IklXSlhaNFJtUjdLMkhGeUFyWHNPVUE9PSIsInZhbHVlIjoiS
mc1ZGVMdjRGMHdPNkFJSkdkWUJRZTB1M1pYUTk0WUdWc3RwVUMzdUo4anBSMFlqVytoYVQwSDBZNnJVeFc3bVFpc
nIrTG8wWVJ4aVRvK21lRFFNdnc9PSIsIm1hYyI6IjRmMThlYzEwMmVjZmZiYmQ1OTAxMTk2ZTBlOTQ4NWJmNzVhM
mFjMDM1YTQ2YzJlNDU0ZDJiOGI0ZTcyNDJlMzIifQ%3D%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
/web.config
Details
No details are available.
Request headers
GET /web.config HTTP/1.1
Accept: acunetix/wvs
(line truncated)
...kZoTFk4NkxrVU40VGRncTE5bVdSVnJUNkY1RmdPcXdrcXBQXC90M2hBc0xKM0MwSjNTWmR5XC9SeWc9PSIsIm
1hYyI6IjZiNmJhM2UyNDRkNmIzNzc5MTYwOGJkMGRjMmUzYjhmNTk0OWI4NmQyNGRhZGI1ZjZlZjhkMGEyZWNlYz
UxYjEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IklXSlhaNFJtUjdLMkhGeUFyWHNPVUE9PSIsInZhbHVlIjoiS
mc1ZGVMdjRGMHdPNkFJSkdkWUJRZTB1M1pYUTk0WUdWc3RwVUMzdUo4anBSMFlqVytoYVQwSDBZNnJVeFc3bVFpc
nIrTG8wWVJ4aVRvK21lRFFNdnc9PSIsIm1hYyI6IjRmMThlYzEwMmVjZmZiYmQ1OTAxMTk2ZTBlOTQ4NWJmNzVhM
mFjMDM1YTQ2YzJlNDU0ZDJiOGI0ZTcyNDJlMzIifQ%3D%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Severity Informational
Type Informational
Reported by module Crawler
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.
This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/dashboard.1.html (3faee4b8428532bfa83d562fd93ec763)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.1.html?aside=dark&bg=&brand=dark-white&folded=false HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.2.html (af8ae1d163507ff84be3988a8c42d1c9)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.2.html?aside=dark&bg=&brand=white&folded=false HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
Acunetix Website Audit 15
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.3.html (528f1ec8fa7eda9b8525a6edea657328)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.3.html?aside=white&bg=&brand=white&folded=false HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.4.html (3755f1d4fa6f165ecf1c13fec47a027d)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.4.html?aside=dark&bg=&folded=true HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.8.html (528f1ec8fa7eda9b8525a6edea657328)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.8.html?aside=white&bg=&brand=white&folded=false HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.html (ced398fc63285dcf94b46ea3bb790d5f)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.html?aside=dark&bg=&brand=dark&folded=false HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...1dRWGcrTFR5YVZXTUtVSkZGVis1MnZRYkE2MFc0a2dcL3FQcVd5QmlhSjNuYSt3YVF4UnhFdVVZOXVlS0RBPT
0iLCJtYWMiOiI3MjVkOGRiYTNhNjRlNjJlZGI2Mjc3ZTc1NmJlMTcwMWJmNDFhYWFlZWFjOTAzZjE5NTFkOGU3ZT
ExN2Q5NWU5In0%3D;
inventory_pushidros_al_session=eyJpdiI6ImZvTDBhUFdqK2w5ZGM0ZU1UZ3kwRWc9PSIsInZhbHVlIjoiQ
U03Q3FPN2M4S1dkME1KOEpleG8wWDR0akNwXC9RaXRWM1YwN2dVdWdZWVE5Zk1IclNBSm84U21vZmRpSHdBSzRqT
0gxelgzSEQ3QmRsUlY2SFpWcVlBPT0iLCJtYWMiOiJmMmE4MTk0YjE3NDg4OGZjMDk3Njc1NzRmZWYyZjA0MjEwZ
DY5MGNiMTJjYWI2ODMwMGMyMTk0NzRhN2Y0MWMxIn0%3D
Host: simkes.pushidrosal.id
Severity Informational
Type Informational
Reported by module Scripting (Text_Search_File.script)
Description
One or more email addresses have been found on this page. The majority of spam comes from email addresses
harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour
the internet looking for email addresses on any website they come across. Spambot programs look for strings like
myname@mydomain.com and then record any addresses found.
Impact
Email addresses posted on Web sites may attract spam.
Recommendation
Check references for details on how to solve this problem.
References
Email Address Disclosed on Website Can be Used for Spam
Affected items
/register
Details
Pattern found: sample@email.tst
Request headers
GET /register HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Informational
Type Informational
Reported by module Crawler
Description
When a new name and password is entered in a form and the form is submitted, the browser asks if the password
should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are
completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser
cache.
Impact
Possible sensitive information disclosure.
Recommendation
The password auto-complete should be disabled in sensitive applications.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
Affected items
/login
Details
Password type input named password from unnamed form with action http://simkes.pushidrosal.id/login has
autocomplete enabled.
Request headers
GET /login HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...QVmhUaGJYT0VrQ1lubyt2cWNzZysweGU5MzZ4TmpJczZDRFdQdVJmN2FYS0crUzJCdlk3RTRYcDNuN2c9PSIs
Im1hYyI6IjVjYTA3YzdkOGM4ZmVlOWNhMTAyMTc5MjAwNWQ4MTg1ZWMzYjVkYThkMTAyMTc4MmJlODZmNjFjYzU0
YjRkZjQifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IkRvZmpuenlwTUt6cEtlalZsYXFpVVE9PSIsInZhbHVlIjoid
W5aUlJVS05HckRUN2lBUVIyalVDc3BzczNPcWc3VmZYQUtYd0d5ZEdHUHBCRVdJK2RNZTNWSVlRMldQc2Vwc0kwT
VwvNDRxUE1QampCZ2Rod1RrQk1nPT0iLCJtYWMiOiI2ZGI4ZDg2NzAxZDAxNTBjY2VhNTIyZWVjMzEyN2U3YzYwO
GVlMjE4MDhlN2JlNjg0OTEzM2VkZDVkZmQxYWY0In0%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register
Details
Password type input named password_confirmation from unnamed form with action http://simkes.pushidrosal.id/register
has autocomplete enabled.
Request headers
GET /register HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
Acunetix Website Audit 21
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register
Details
Password type input named password from unnamed form with action http://simkes.pushidrosal.id/register has
autocomplete enabled.
Request headers
GET /register HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Severity Informational
Type Informational
Reported by module Scripting (Text_Search_File.script)
Description
A username and/or password was found in this file. This information could be sensitive.
Affected items
/assets/libs/font-awesome/css/font-awesome.min.css
Details
Pattern found: pass:before
Request headers
GET /assets/libs/font-awesome/css/font-awesome.min.css HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/login
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*