Developer Report: Acunetix Website Audit 19 November, 2018

Acunetix Website Audit
19 November, 2018
Developer Report
Generated by Acunetix WVS Reporter (v10.5 Build 20160217)

Scan of http://simkes.pushidrosal.id:80/
Scan details
Scan information
Start time 18/11/2018 13:47:46
Finish time 18/11/2018 23:00:05
Scan time 9 hours, 12 minutes
Profile Default
Server information
Responsive True
Server banner nginx/1.12.2
Server OS Unknown
Server technologies PHP
Threat level
Acunetix Threat Level 2
One or more medium-severity type vulnerabilities have been discovered by the scanner.
You should investigate each of these vulnerabilities to ensure they will not escalate to
more severe problems.
Alerts distribution
Total alerts found 25

High 0
Medium 3
Low 6
Informational 16
Knowledge base
Possible registration page
A page where is possible to register a new user account was found at /register.
List of file extensions
File extensions can provide information on what technologies are being used on this website.
List of file extensions detected:
- txt => 1 file(s)

- css => 5 file(s)
- js => 16 file(s)
- woff2 => 1 file(s)
- htaccess => 1 file(s)
- config => 1 file(s)
List of client scripts
These files contain Javascript code referenced from the website.
- /assets/libs/bootstrap/dist/js/bootstrap.min.js
- /assets/libs/jquery/dist/jquery.min.js
- /assets/libs/popper.js/dist/umd/popper.min.js
- /assets/libs/pace-progress/pace.min.js
- /assets/libs/pjax/pjax.js
- /assets/html/scripts/lazyload.config.js
- /assets/html/scripts/lazyload.js
Acunetix Website Audit 2
- /assets/html/scripts/plugin.js
- /assets/html/scripts/nav.js
- /assets/html/scripts/scrollto.js
- /assets/html/scripts/toggleclass.js
- /assets/html/scripts/theme.js
- /assets/html/scripts/ajax.js
- /assets/html/scripts/app.js
- /js/app.js
List of files with inputs
These files have at least one input (GET or POST).
- / - 3 inputs
- /login - 1 inputs
- /rtl.html - 1 inputs
- /dashboard.html - 1 inputs
- /assets/libs/font-awesome/fonts/fontawesome-webfont.woff2 - 1 inputs
- /dashboard.7.html - 1 inputs
- /register - 1 inputs
- /password/email - 1 inputs
- /fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2 - 1 inputs
List of external hosts
These hosts were linked from this website but they were not scanned because they are not listed in the list of hosts
allowed. (Configuration-> Scan Settings ->Scanning Options-> List of hosts allowed).
- themeforest.net
- simkes.pushidrosal.id
- fonts.googleapis.com
- duckduckgo.com
- google.com
- stackoverflow.com
List of email addresses
List of all email addresses found on this host.
- sample@email.tst
Alerts summary
.htaccess file readable

Classification
CVSS Base Score: 5.0
- Access Vector: Network

- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
CWE CWE-16
Affected items Variation
/ s1

User credentials are sent in clear text
Classification

CVSS3 Base Score: 9,1
- Attack Vector: Network

- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
CWE CWE-310
/login s1
/register 1
Clickjacking: X-Frame-Options header missing

Classification

- Access Complexity: Medium
- Integrity Impact: Partial
- Availability Impact: Partial
CWE CWE-693
Web Server s1
Cookie without HttpOnly flag set

Classification

- Confidentiality Impact: None
CWE CWE-16
/ s2

Login page password-guessing attack
Classification


- Scope: Unchanged
- Availability Impact: Low
CWE CWE-307
/login s1
Possible sensitive files

Classification


- Scope: Unchanged
CWE CWE-200
/.htaccess s1
/web.config 1

Broken links
Classification

CWE CWE-16
/dashboard.1.html (3faee4b8428532bfa83d562fd93ec763) s1
/dashboard.2.html (af8ae1d163507ff84be3988a8c42d1c9) 1
/dashboard.3.html (528f1ec8fa7eda9b8525a6edea657328) 1
/dashboard.4.html (3755f1d4fa6f165ecf1c13fec47a027d) 1
/dashboard.5.html (3b0ab3dfc602f5c894cdce6cbd5263f5) 1
/dashboard.7.html (ced398fc63285dcf94b46ea3bb790d5f) 1
/dashboard.html (ced398fc63285dcf94b46ea3bb790d5f) 1
/fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2 1
(f7f5c42fa4f904ec263ea5c215f83ab5)
/rtl.html (17613001ba2a0f8572bc4e531366dce2) 1
Email address found

Classification


- Scope: Unchanged
CWE CWE-200
/register s1

Password type input with auto-complete enabled
Classification


- Scope: Unchanged
CWE CWE-200
/login s1
/register 2
Possible username or password disclosure

Classification


- Scope: Unchanged
CWE CWE-200
/assets/libs/font-awesome/css/font-awesome.min.css s1

Alert details
.htaccess file readable
Severity Medium
Type Validation
Reported by module Scripting (htaccess_File_Readable.script)
Description
This directory contains an .htaccess file that is readable. This may indicate a server misconfiguration. htaccess files are
designed to be parsed by web server and should not be directly accessible. These files could contain sensitive
information that could help an attacker to conduct further attacks. It's recommended to restrict access to this file.
Impact
Possible sensitive information disclosure.
Recommendation
Restrict access to the .htaccess file by adjusting the web server configuration.
Affected items
/
Details
No details are available.
Request headers
GET /.htaccess HTTP/1.1
(line truncated)
...kZoTFk4NkxrVU40VGRncTE5bVdSVnJUNkY1RmdPcXdrcXBQXC90M2hBc0xKM0MwSjNTWmR5XC9SeWc9PSIsIm
1hYyI6IjZiNmJhM2UyNDRkNmIzNzc5MTYwOGJkMGRjMmUzYjhmNTk0OWI4NmQyNGRhZGI1ZjZlZjhkMGEyZWNlYz
UxYjEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IklXSlhaNFJtUjdLMkhGeUFyWHNPVUE9PSIsInZhbHVlIjoiS
mc1ZGVMdjRGMHdPNkFJSkdkWUJRZTB1M1pYUTk0WUdWc3RwVUMzdUo4anBSMFlqVytoYVQwSDBZNnJVeFc3bVFpc
nIrTG8wWVJ4aVRvK21lRFFNdnc9PSIsIm1hYyI6IjRmMThlYzEwMmVjZmZiYmQ1OTAxMTk2ZTBlOTQ4NWJmNzVhM
mFjMDM1YTQ2YzJlNDU0ZDJiOGI0ZTcyNDJlMzIifQ%3D%3D
Host: simkes.pushidrosal.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

User credentials are sent in clear text
Severity Medium
Type Configuration
Reported by module Crawler
Description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an
encrypted channel (HTTPS) to avoid being intercepted by malicious users.
Impact
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.
Recommendation
Because user credentials are considered sensitive information, should always be transferred to the server over an
encrypted connection (HTTPS).
Affected items
/login
Details
Form name: <empty>
Form action: http://simkes.pushidrosal.id/login
Form method: POST
Form inputs:
- _token [Hidden]
- email [Text]
- password [Password]
Request headers
GET /login HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://simkes.pushidrosal.id/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: *****
Acunetix-Aspect-Queries: filelist;aspectalerts
(line truncated)
...QVmhUaGJYT0VrQ1lubyt2cWNzZysweGU5MzZ4TmpJczZDRFdQdVJmN2FYS0crUzJCdlk3RTRYcDNuN2c9PSIs
Im1hYyI6IjVjYTA3YzdkOGM4ZmVlOWNhMTAyMTc5MjAwNWQ4MTg1ZWMzYjVkYThkMTAyMTc4MmJlODZmNjFjYzU0
YjRkZjQifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IkRvZmpuenlwTUt6cEtlalZsYXFpVVE9PSIsInZhbHVlIjoid
W5aUlJVS05HckRUN2lBUVIyalVDc3BzczNPcWc3VmZYQUtYd0d5ZEdHUHBCRVdJK2RNZTNWSVlRMldQc2Vwc0kwT
VwvNDRxUE1QampCZ2Rod1RrQk1nPT0iLCJtYWMiOiI2ZGI4ZDg2NzAxZDAxNTBjY2VhNTIyZWVjMzEyN2U3YzYwO
GVlMjE4MDhlN2JlNjg0OTEzM2VkZDVkZmQxYWY0In0%3D
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register

Details
Form name: <empty>
Form action: http://simkes.pushidrosal.id/register
Form method: POST
Form inputs:
- _token [Hidden]
- name [Text]
- email [Text]
- password [Password]
- password_confirmation [Password]
Request headers
GET /register HTTP/1.1
Pragma: no-cache
Referer: http://simkes.pushidrosal.id/login
(line truncated)
...aRFVFQ01RR2RsN0QwZStBcVNWZjFzREZzN0twRllSSitZNHJmcW9EaVh4OGRUS21TdnpTbmlFTlwvOGFobzZB
PT0iLCJtYWMiOiJkYzhlZjk3M2Q0MTViZGFkYTAwZDUxZGFlODMwOGRiY2IyMDljYTAzZDQ0NmE0NzRiYWI0NWUy
ODk1MTM2ZTIyIn0%3D;
inventory_pushidros_al_session=eyJpdiI6IjRuNkdxaUlyRmtLQlNzTkxnMmkwVFE9PSIsInZhbHVlIjoiU
lpyUXJFMUlXVENobHJ2YWNrZWVySnFUVERNV3RvS3RzQVp1Wlc3VVFzMGF1dlwveVBOQXEzeTEwOWQ5OW83WEZyc
WxwQmZLWndcL0JMRHpMWEt1cWFkdz09IiwibWFjIjoiNDBjMzg0NGQwOTdjYWFlMGY5Mzk1ZTllMWI0MjE5YzU5M
zRkMGU0ZWZkZmFmZWI0YmJjY2I4NWQ3YTQ0NTU5OCJ9
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Clickjacking: X-Frame-Options header missing
Severity Low
Type Configuration
Reported by module Scripting (Clickjacking_X_Frame_Options.script)
Description
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web
user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing
confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking
attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be
allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their
content is not embedded into other sites.
Impact
The impact depends on the affected web application.
Recommendation
Configure your web server to include an X-Frame-Options header. Consult Web references for more information about
the possible values for this header.
References
Clickjacking Protection for Java EE
Frame Buster Buster
Defending with Content Security Policy frame-ancestors directive
OWASP Clickjacking
Clickjacking
The X-Frame-Options response header
Affected items
Web Server
Details
Request headers
GET / HTTP/1.1
(line truncated)
...GQ2NVJNQ09VeHZoNnU0UkN2VkU1SDgzRktZRXppUjhvelwvcGk2dUdHZ3ZOYlh2c1hReVZqNTJlTWc9PSIsIm
1hYyI6IjI5ZWJlMTczNDEwMjM3MWNmYjgyZWJjZjAyMmE5ZmM0NDAwNmQxZDgwNjRlYjVlMmYxZGU1ZjNmMWEwMz
U2YmEifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6Ikx5QXdWOHo2eDdYQnBhMFB6MHdUSFE9PSIsInZhbHVlIjoiZ
XJId0dBQnE2UUJjY21sTlNhMk9xeGcxZXFPUmZVNTZQaU5ZWUNnRUVod3hOY1U0dTBVQXZ5T05Tc2NIQ2ZodGNZa
EluVGdKZGFwZFNoT0xWVmF2anc9PSIsIm1hYyI6IjM1NjczYzkxMGM5NDZmZmU3NzczNWQ2NWRkZjMzMjRkYmE1M
Tg3MTg2ZjIyMDFhN2FkNTJiMDVjYmY2ZmRjMDAifQ%3D%3D
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Cookie without HttpOnly flag set
Severity Low
Type Informational
Description
This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser
that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection
for session cookies.
Impact
None
Recommendation
If possible, you should set the HTTPOnly flag for this cookie.
Affected items
/
Details
Cookie name: "inventory_pushidros_al_session"
Cookie domain: "simkes.pushidrosal.id"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/
Details
Cookie name: "XSRF-TOKEN"
Cookie domain: "simkes.pushidrosal.id"
Request headers
GET / HTTP/1.1
Pragma: no-cache
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Login page password-guessing attack
Severity Low
Type Validation
Reported by module Scripting (Html_Authentication_Audit.script)
Description
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack
is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and
symbols until you discover the one correct combination that works.
This login page doesn't have any protection against password-guessing attacks (brute force attacks). It's recommended
to implement some type of account lockout after a defined number of incorrect password attempts. Consult Web
references for more information about fixing this problem.
Impact
An attacker may attempt to discover a weak password by systematically trying every possible combination of letters,
numbers, and symbols until it discovers the one correct combination that works.
Recommendation
It's recommended to implement some type of account lockout after a defined number of incorrect password attempts.
References
Blocking Brute Force Attacks
Affected items
/login
Details
The scanner tested 10 invalid credentials and no account lockout was detected.
Request headers
POST /login HTTP/1.1
Content-Length: 104
Content-Type: application/x-www-form-urlencoded
Referer: http://simkes.pushidrosal.id:80/
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
email=WfgDocSF%40simkes.pushidrosal.id&password=1ibclCGo&_token=Chw3ZY5nVZWgEHTDGHRfWva4
tKj8tcdIyhLlL0R3

Possible sensitive files
Severity Low
Type Validation
Reported by module Scripting (Possible_Sensitive_Files.script)
Description
A possible sensitive file has been found. This file is not directly linked from the website. This check looks for common
sensitive resources like password files, configuration files, log files, include files, statistics data, database dumps. Each
one of these files could help an attacker to learn more about his target.
Impact
This file may expose sensitive information that could help a malicious user to prepare more advanced attacks.
Recommendation
Restrict access to this file or remove it from the website.
References
Web Server Security and Database Server Security
Affected items
/.htaccess
Details
Request headers
GET /.htaccess HTTP/1.1
Accept: acunetix/wvs
(line truncated)
UxYjEifQ%3D%3D;
Chrome/41.0.2228.0 Safari/537.21
/web.config
Details
Request headers
GET /web.config HTTP/1.1
Accept: acunetix/wvs
(line truncated)
UxYjEifQ%3D%3D;
Chrome/41.0.2228.0 Safari/537.21

Broken links
Severity Informational
Type Informational
Description
A broken link refers to any link that should take you to a document, image or webpage, that actually results in an error.
This page was linked from the website but it is inaccessible.
Impact
Problems navigating the site.
Recommendation
Remove the links to this file or make it accessible.
Affected items
/dashboard.1.html (3faee4b8428532bfa83d562fd93ec763)
Details
For a complete list of URLs linking to this file, go to Site Structure > Locate and select the file (marked as "Not Found") >
select Referrers Tab from the bottom of the Information pane.
Request headers
GET /dashboard.1.html?aside=dark&bg=&brand=dark-white&folded=false HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.2.html (af8ae1d163507ff84be3988a8c42d1c9)
Details
Request headers
GET /dashboard.2.html?aside=dark&bg=&brand=white&folded=false HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.3.html (528f1ec8fa7eda9b8525a6edea657328)
Details
Request headers
GET /dashboard.3.html?aside=white&bg=&brand=white&folded=false HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.4.html (3755f1d4fa6f165ecf1c13fec47a027d)
Details
Request headers
GET /dashboard.4.html?aside=dark&bg=&folded=true HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

/dashboard.5.html (3b0ab3dfc602f5c894cdce6cbd5263f5)
Details
Request headers
GET /dashboard.5.html?aside=dark&bg=&brand=dark&folded=true HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Details
Request headers
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.7.html (ced398fc63285dcf94b46ea3bb790d5f)
Details
Request headers
GET /dashboard.7.html?aside=dark&bg=&brand=dark&folded=false HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Details
Request headers
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/dashboard.html (ced398fc63285dcf94b46ea3bb790d5f)
Details
Request headers
GET /dashboard.html?aside=dark&bg=&brand=dark&folded=false HTTP/1.1
Pragma: no-cache
(line truncated)
...1dRWGcrTFR5YVZXTUtVSkZGVis1MnZRYkE2MFc0a2dcL3FQcVd5QmlhSjNuYSt3YVF4UnhFdVVZOXVlS0RBPT
0iLCJtYWMiOiI3MjVkOGRiYTNhNjRlNjJlZGI2Mjc3ZTc1NmJlMTcwMWJmNDFhYWFlZWFjOTAzZjE5NTFkOGU3ZT
ExN2Q5NWU5In0%3D;
inventory_pushidros_al_session=eyJpdiI6ImZvTDBhUFdqK2w5ZGM0ZU1UZ3kwRWc9PSIsInZhbHVlIjoiQ
U03Q3FPN2M4S1dkME1KOEpleG8wWDR0akNwXC9RaXRWM1YwN2dVdWdZWVE5Zk1IclNBSm84U21vZmRpSHdBSzRqT
0gxelgzSEQ3QmRsUlY2SFpWcVlBPT0iLCJtYWMiOiJmMmE4MTk0YjE3NDg4OGZjMDk3Njc1NzRmZWYyZjA0MjEwZ
DY5MGNiMTJjYWI2ODMwMGMyMTk0NzRhN2Y0MWMxIn0%3D

Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2 (f7f5c42fa4f904ec263ea5c215f83ab5)
Details
Request headers
GET
/fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2?448c34a56d699c
29117adc64c43affeb HTTP/1.1
Pragma: no-cache
Referer: http://simkes.pushidrosal.id/css/app.css
(line truncated)
...TVWc1FneWxtaGJrWjVNNTMyXC9VMFlHYVJSNVpQNDRCSUNLMHYxRWFlOGltUThtWVBDU1NBK0E1TUxnQT09Ii
wibWFjIjoiNjgxOTg3MTgwZWRlNGY1YzBjZWM2MzQ4MzUyZDdiZjE0NDdkODhkMGRlNThhNjNiMmFlNmY3NTljMj
liMjgwZCJ9;
inventory_pushidros_al_session=eyJpdiI6IkxWSGM1bDA0VVdVM3ZhQ0RlM0VUM2c9PSIsInZhbHVlIjoiQ
W80YXYzYmhoQmpGREw1K1M4MW5XeUROZ05hMFlcL0RxbnZ1SGI4Mjh0blFHdlVcL1hZM2pRTnNPT0RMOUZWTTFaa
09QVFRiWFlhdkFaXC9ZYUlvV1EzVlE9PSIsIm1hYyI6IjZjOGI1M2E1YThlNzFiMDFkZDIwYTY3NjA5ODllZDdmN
WQ2YTBkOTZiM2Y0YjU1NGI0OTJlOGUyM2NiNzllMTYifQ%3D%3D
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/rtl.html (17613001ba2a0f8572bc4e531366dce2)
Details
Request headers
GET /rtl.html?folded&bg= HTTP/1.1
Pragma: no-cache
(line truncated)
...1dRWGcrTFR5YVZXTUtVSkZGVis1MnZRYkE2MFc0a2dcL3FQcVd5QmlhSjNuYSt3YVF4UnhFdVVZOXVlS0RBPT
0iLCJtYWMiOiI3MjVkOGRiYTNhNjRlNjJlZGI2Mjc3ZTc1NmJlMTcwMWJmNDFhYWFlZWFjOTAzZjE5NTFkOGU3ZT
ExN2Q5NWU5In0%3D;
inventory_pushidros_al_session=eyJpdiI6ImZvTDBhUFdqK2w5ZGM0ZU1UZ3kwRWc9PSIsInZhbHVlIjoiQ
U03Q3FPN2M4S1dkME1KOEpleG8wWDR0akNwXC9RaXRWM1YwN2dVdWdZWVE5Zk1IclNBSm84U21vZmRpSHdBSzRqT
0gxelgzSEQ3QmRsUlY2SFpWcVlBPT0iLCJtYWMiOiJmMmE4MTk0YjE3NDg4OGZjMDk3Njc1NzRmZWYyZjA0MjEwZ
DY5MGNiMTJjYWI2ODMwMGMyMTk0NzRhN2Y0MWMxIn0%3D
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Email address found
Type Informational
Reported by module Scripting (Text_Search_File.script)
Description
One or more email addresses have been found on this page. The majority of spam comes from email addresses
harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour
the internet looking for email addresses on any website they come across. Spambot programs look for strings like
myname@mydomain.com and then record any addresses found.
Impact
Email addresses posted on Web sites may attract spam.
Recommendation
Check references for details on how to solve this problem.
References
Email Address Disclosed on Website Can be Used for Spam
Affected items
/register
Details
Pattern found: sample@email.tst
Request headers
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Password type input with auto-complete enabled
Type Informational
Description
When a new name and password is entered in a form and the form is submitted, the browser asks if the password
should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are
completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser
cache.
Impact
Recommendation
The password auto-complete should be disabled in sensitive applications.
To disable auto-complete, you may use a code similar to:
<INPUT TYPE="password" AUTOCOMPLETE="off">
Affected items
/login
Details
Password type input named password from unnamed form with action http://simkes.pushidrosal.id/login has
autocomplete enabled.
Request headers
GET /login HTTP/1.1
Pragma: no-cache
Referer: http://simkes.pushidrosal.id/
(line truncated)
...QVmhUaGJYT0VrQ1lubyt2cWNzZysweGU5MzZ4TmpJczZDRFdQdVJmN2FYS0crUzJCdlk3RTRYcDNuN2c9PSIs
Im1hYyI6IjVjYTA3YzdkOGM4ZmVlOWNhMTAyMTc5MjAwNWQ4MTg1ZWMzYjVkYThkMTAyMTc4MmJlODZmNjFjYzU0
YjRkZjQifQ%3D%3D;
inventory_pushidros_al_session=eyJpdiI6IkRvZmpuenlwTUt6cEtlalZsYXFpVVE9PSIsInZhbHVlIjoid
W5aUlJVS05HckRUN2lBUVIyalVDc3BzczNPcWc3VmZYQUtYd0d5ZEdHUHBCRVdJK2RNZTNWSVlRMldQc2Vwc0kwT
VwvNDRxUE1QampCZ2Rod1RrQk1nPT0iLCJtYWMiOiI2ZGI4ZDg2NzAxZDAxNTBjY2VhNTIyZWVjMzEyN2U3YzYwO
GVlMjE4MDhlN2JlNjg0OTEzM2VkZDVkZmQxYWY0In0%3D
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register
Details
Password type input named password_confirmation from unnamed form with action http://simkes.pushidrosal.id/register
has autocomplete enabled.
Request headers
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
/register
Details
Password type input named password from unnamed form with action http://simkes.pushidrosal.id/register has
autocomplete enabled.
Request headers
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Possible username or password disclosure
Type Informational
Reported by module Scripting (Text_Search_File.script)
Description
A username and/or password was found in this file. This information could be sensitive.
This alert may be a false positive, manual confirmation is required.

Impact
Recommendation
Remove this file from your website or change its permissions to remove access.
Affected items
/assets/libs/font-awesome/css/font-awesome.min.css
Details
Pattern found: pass:before
Request headers
GET /assets/libs/font-awesome/css/font-awesome.min.css HTTP/1.1
Pragma: no-cache
(line truncated)
ODk1MTM2ZTIyIn0%3D;
Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Scanned items (coverage report)
Scanned 71 URLs. Found 4 vulnerable.
URL: http://simkes.pushidrosal.id/
Vulnerabilities have been identified for this URL
4 input(s) found for this URL
Inputs
Input scheme 1
Input name Input type
/ Path Fragment
Input scheme 2
/ Path Fragment
/ Path Fragment
Input scheme 3
Host HTTP Header
URL: http://simkes.pushidrosal.id/login
Inputs
Input scheme 1
_token URL encoded POST
email URL encoded POST
password URL encoded POST
URL: http://simkes.pushidrosal.id/robots.txt
No vulnerabilities have been identified for this URL
No input(s) found for this URL
URL: http://simkes.pushidrosal.id/rtl.html
Inputs
Input scheme 1
URL encoded GET
bg URL encoded GET
URL: http://simkes.pushidrosal.id/dashboard.html
Inputs
Input scheme 1
aside URL encoded GET
bg URL encoded GET
brand URL encoded GET
folded URL encoded GET

URL: http://simkes.pushidrosal.id/assets
URL: http://simkes.pushidrosal.id/assets/images
URL: http://simkes.pushidrosal.id/assets/assets
URL: http://simkes.pushidrosal.id/assets/assets/css
URL: http://simkes.pushidrosal.id/assets/assets/css/app.css
URL: http://simkes.pushidrosal.id/assets/assets/css/style.css
URL: http://simkes.pushidrosal.id/assets/assets/images
URL: http://simkes.pushidrosal.id/assets/libs
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap/dist
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap/dist/css
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap/dist/css/bootstrap.min.css
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap/dist/js
URL: http://simkes.pushidrosal.id/assets/libs/bootstrap/dist/js/bootstrap.min.js
URL: http://simkes.pushidrosal.id/assets/libs/font-awesome

URL: http://simkes.pushidrosal.id/assets/libs/font-awesome/css
URL: http://simkes.pushidrosal.id/assets/libs/font-awesome/css/font-awesome.min.css
URL: http://simkes.pushidrosal.id/assets/libs/font-awesome/fonts
URL: http://simkes.pushidrosal.id/assets/libs/font-awesome/fonts/fontawesome-webfont.woff2
Inputs
Input scheme 1
v URL encoded GET
URL: http://simkes.pushidrosal.id/assets/libs/jquery
URL: http://simkes.pushidrosal.id/assets/libs/jquery/dist
URL: http://simkes.pushidrosal.id/assets/libs/jquery/dist/jquery.min.js
URL: http://simkes.pushidrosal.id/assets/libs/popper.js
URL: http://simkes.pushidrosal.id/assets/libs/popper.js/dist
URL: http://simkes.pushidrosal.id/assets/libs/popper.js/dist/umd
URL: http://simkes.pushidrosal.id/assets/libs/popper.js/dist/umd/popper.min.js
URL: http://simkes.pushidrosal.id/assets/libs/pace-progress
URL: http://simkes.pushidrosal.id/assets/libs/pace-progress/pace.min.js
URL: http://simkes.pushidrosal.id/assets/libs/pjax

URL: http://simkes.pushidrosal.id/assets/libs/pjax/pjax.js
URL: http://simkes.pushidrosal.id/assets/html
URL: http://simkes.pushidrosal.id/assets/html/scripts
URL: http://simkes.pushidrosal.id/assets/html/scripts/lazyload.config.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/lazyload.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/plugin.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/nav.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/scrollto.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/toggleclass.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/theme.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/ajax.js
URL: http://simkes.pushidrosal.id/assets/html/scripts/app.js
URL: http://simkes.pushidrosal.id/dashboard.7.html
Inputs
Input scheme 1
bg URL encoded GET

Inputs
Input scheme 1
bg URL encoded GET
Inputs
Input scheme 1
bg URL encoded GET
Inputs
Input scheme 1
bg URL encoded GET
URL: http://simkes.pushidrosal.id/register
Inputs
Input scheme 1
name URL encoded POST
password URL encoded POST
password_confirmation URL encoded POST
URL: http://simkes.pushidrosal.id/password
URL: http://simkes.pushidrosal.id/password/reset

URL: http://simkes.pushidrosal.id/password/email
Inputs
Input scheme 1
Inputs
Input scheme 1
bg URL encoded GET
Inputs
Input scheme 1
bg URL encoded GET
Inputs
Input scheme 1
bg URL encoded GET
Inputs
Input scheme 1
bg URL encoded GET

URL: http://simkes.pushidrosal.id/css
URL: http://simkes.pushidrosal.id/css/app.css
URL: http://simkes.pushidrosal.id/js
URL: http://simkes.pushidrosal.id/js/app.js
URL: http://simkes.pushidrosal.id/fonts
URL: http://simkes.pushidrosal.id/fonts/vendor
URL: http://simkes.pushidrosal.id/fonts/vendor/bootstrap-sass
URL: http://simkes.pushidrosal.id/fonts/vendor/bootstrap-sass/bootstrap
URL: http://simkes.pushidrosal.id/fonts/vendor/bootstrap-sass/bootstrap/glyphicons-halflings-regular.woff2
Inputs
Input scheme 1
URL encoded GET
URL: http://simkes.pushidrosal.id/libs
URL: http://simkes.pushidrosal.id/libs/screenfull
URL: http://simkes.pushidrosal.id/libs/screenfull/dist
URL: http://simkes.pushidrosal.id/libs/screenfull/dist/screenfull.js

Developer Report: Acunetix Website Audit 19 November, 2018

Uploaded by

Copyright:

Available Formats

Developer Report: Acunetix Website Audit 19 November, 2018

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Developer Report: Acunetix Website Audit 19 November, 2018

Uploaded by

Copyright:

Available Formats

Acunetix Website Audit

Generated by Acunetix WVS Reporter (v10.5 Build 20160217)

Total alerts found 25

- txt => 1 file(s)

.htaccess file readable

- Access Vector: Network

Acunetix Website Audit 3

- Access Vector: Network

- Attack Vector: Network

Clickjacking: X-Frame-Options header missing

- Access Vector: Network

Cookie without HttpOnly flag set

- Access Vector: Network

Acunetix Website Audit 4

- Access Vector: Network

- Attack Vector: Network

Possible sensitive files

- Access Vector: Network

- Attack Vector: Network

Acunetix Website Audit 5

- Access Vector: Network

Email address found

- Access Vector: Network

- Attack Vector: Network

Acunetix Website Audit 6

- Access Vector: Network

- Attack Vector: Network

Possible username or password disclosure

- Access Vector: Network

- Attack Vector: Network

Acunetix Website Audit 7

.htaccess file readable

Acunetix Website Audit 8

Acunetix Website Audit 9

Acunetix Website Audit 10

Acunetix Website Audit 11

Acunetix Website Audit 12

Acunetix Website Audit 13

Acunetix Website Audit 14

Acunetix Website Audit 16

Acunetix Website Audit 18

Acunetix Website Audit 19

Acunetix Website Audit 20

Acunetix Website Audit 22

This alert may be a false positive, manual confirmation is required.

Acunetix Website Audit 23

Acunetix Website Audit 24

Acunetix Website Audit 25

Acunetix Website Audit 26

Acunetix Website Audit 27

Acunetix Website Audit 28

Acunetix Website Audit 29

Acunetix Website Audit 30

You might also like