CTS Report 20210811 Originaltaxi Com BR
CTS Report 20210811 Originaltaxi Com BR
CTS Report 20210811 Originaltaxi Com BR
SCANNING
REPORT
taxi
11 AUG 21 19:53 CEST
https://originaltaxi.com.br
1 Overview
critical 0
high 0
medium 7
low 0
informational 5
0 5
These findings are very critical whilst posing an immediate threat. Fix-
CRITICAL ing these issues should be the highest priority, regardless of any other 9 - 10
issues.
Informational findings do not pose any threat but have solely informa-
INFO 0
tional purpose.
1.2 Scanner Overview
1.2.1 Used Scanners
During the scan, the Crashtest Security Suite was looking for the following kinds of vulnerabilities and security issues:
100% 5 completed
5.3
The webserver is running nginx 1.16.1 (There are no known CVE issues for
this finding) 2 2
1.3.2 PORTSCAN
0.0 Found open port ”5432/tcp” with service name ”PostgreSQL DB” 2 2
1.3.3 SSL/TLS
0.0
DNS Certification Authority Authorization (CAA) Resource Record / RFC6844:
Not offered 2 2
6.5
The Content-Security-Policy header is not set for URL https://originaltaxi.
com.br. 2 2
4.3
The X-Content-Type-Options header is not set for URL https://originaltaxi.
com.br. 2 2
4.8
The Strict-Transport-Security (HSTS) header is not set for URL https://
originaltaxi.com.br. 2 2
2 Findings 8
2.1 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 SSL Cipher Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.3 Missing SSL CAA record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 HTTPHEADER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Content-Security-Policy Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.3 X-Content-Type-Options Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.4 Missing HSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.5 X-Frame-Options Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.6 Referrer-Policy Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 FINGERPRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.2 Fingerprint Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 PORTSCAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2 Portscanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1 SSL/TLS
2.1.1 What is this?
Transport Layer Security (TLS), more widely known by its predecessor Secure Sockets Layer (SSL), is a hybrid encryp-
tion protocol for secure data transmission over the Internet. It encrypts the communication between server and client.
The most obvious part of it is HTTPS, with which providers can secure all communications between their servers and
web browsers. This ensures that valuable information like usernames, passwords and credit card information can-
not be stolen by someone analyzing the network traffic. The “S” in HTTPS stands for SSL. For secure connection
with HTTPS a certificate is needed. Those certificates offer different levels of security and have a fixed start- and
expiration-date. To ensure a secure connection, webservers must use well configured certificates. With some mis-
configured certificates it is possible to bypass the encryption, others may be blocked by web browsers because they
are outdated or unknown.
Base Score: medium (4.8/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)
Description
There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an
attacker can make use of an insecure SSL/TLS connection.
Finding
+ There is no cipher order configured. There should be a cipher order from strongest to weakest to prevent clients
from using weaker ciphers before trying stronger ones first.
How to fix
There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an
attacker can make use of in insecure SSL/TLS connection. In the SSL/TLS configuration, the allowed ciphers and their
order should be set to match secure values. More details on how to set these values can be found in the knowledge
database (see Recommendations)
Recommendations
https://wiki.crashtest-security.com/configure-ssl-cipher-order
Base Score: informational (0/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: informational (0/10)
Description
The domains DNS zone does not specify any Certification Authority Authorization (CAA) record. This means that all
certificate authorities (CAs) are allowed to issue certificates for this domain. To decrease the risk of rogue certificates,
append the CAA settings to the DNS records.
Finding
+ DNS Certification Authority Authorization (CAA) Resource Record / RFC6844: Not offered
How to fix
The domains DNS zone does not specify any Certification Authority Authorization (CAA) record. This means that all
certificate authorities (CAs) are allowed to issue certificates for this domain. To decrease the risk of rogue certificates,
the CAA setting needs to be added to the DNS records. More details on how to set the CAA setting can be found in
the knowledge database (see Recommendations)
Recommendations
https://wiki.crashtest-security.com/enable-missing-ssl-caa-record
Base Score: medium (6.5/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)
Description
The Content-Security-Policy header tells the browser which domains are whitelisted to download further resources
such as scripts, images or stylesheets from. This can prevent various XSS and other Cross-Site-Scripting attacks.
Finding
+ The Content-Security-Policy header is not set for URL https://originaltaxi.com.br.
How to fix
Configure the Content-Security-Policy header in a way that it only allows loading resources from trusted resources
such as ’self’. Do not include ’unsafe-eval’ or ’unsafe-inline’ in order to prevent direct injections into the website.
Recommendations
https://wiki.crashtest-security.com/enable-security-headers
Base Score: medium (4.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)
Description
The X-Content-Type-Options prevents the browser from trying to detect MIME-types on downloaded files. This pro-
tects against attacks in cases where a malicious file is offered with an unsuspicious MIME-type.
Finding
+ The X-Content-Type-Options header is not set for URL https://originaltaxi.com.br.
How to fix
Set the X-Content-Type-Options header to ’nosniff’ in order to prevent the browser from detecting MIME-types based
on file content.
Recommendations
https://wiki.crashtest-security.com/enable-security-headers
Base Score: medium (4.8/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)
Description
The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections, which pre-
vents downgrade attacks to an insecure HTTP connection.
Finding
+ The Strict-Transport-Security (HSTS) header is not set for URL https://originaltaxi.com.br.
How to fix
The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This pre-
vents downgrade attacks to an insecure HTTP connection. Depending on the used SSL certificate and the webserver
certain configurations have to be changed. More details on how to enable HSTS can be found in the knowledge
database (see Recommendations)
Recommendations
https://wiki.crashtest-security.com/enable-hsts
Base Score: medium (6.5/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (3.6/10)
Description
The X-Frame-Options header declares whether this site may be embedded as a frame into other websites. If this
header is not configured correctly, your application can be embedded into third party websites which makes it vulner-
able for clickjacking attacks.
Finding
+ The X-Frame-Options header is not set for URL https://originaltaxi.com.br.
How to fix
Configure the X-Frame-Options header as ’deny’ to prevent it to be embedded at all. The values ’sameorigin’ or ’allow-
from DOMAIN’ can be used to allow it to be embedded on certain websites while forbidding embedding on other
websites
Recommendations
https://wiki.crashtest-security.com/enable-security-headers
Base Score: medium (4.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)
Description
The Referrer-Policy header defines how much information about the referrer is sent, when the user clicks on a link. A
misconfiguration or missing header may leak sensitive information to third party websites that are visited by the click
on a link.
Finding
+ The Referrer-Policy header is not set for URL https://originaltaxi.com.br.
How to fix
Set the Referrer-Policy header to a secure value such as ’strict-origin-when-cross-origin’ to overwrite the Referer header
with your domain instead of the full path when clicking on external links and keep the Referer for internal links, but only
when the connection is not downgraded from HTTPS to HTTP.
Recommendations
https://wiki.crashtest-security.com/enable-security-headers
Base Score: medium (5.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)
Description
The webserver publicly provides information about itself such as the name or version. This opens attackers the pos-
sibility to look for exploits specifically targetting the webserver in its exact version.
Finding
+ The webserver is running nginx 1.16.1 (There are no known CVE issues for this finding)
How to fix
The amount of information a server is sharing can be set in its configuration files. Depending on the used webserver,
the configuration file can be found on different locations (see Recommendations to find the exact location). In most
cases it is sufficient to change one or two settings to avoid publishing unnecessary information. After saving the
changes, it is recommended to restart or reload the webserver to activate the changes.
Recommendations
https://wiki.crashtest-security.com/server-version-fingerprinting
2.4.2 Portscanner
Severity
Base Score: informational (0/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: informational (0/10)
Description
Unneeded open ports on the webserver opens a large attack surface to a malicious user. This can be used to find
unmaintained and possibly vulnerable network services that can be targeted.
Finding
+ Found open port ”443/tcp” with service name ”nginx”
+ Found open port ”80/tcp” with service name ”nginx”
+ Found open port ”22/tcp” with service name ”OpenSSH”
+ Found open port ”5432/tcp” with service name ”PostgreSQL DB”
How to fix
Unnecessarily open ports can be closed by setting up a firewall and block connections to all ports except of those that
are needed by the server. Furthermore services that are not needed should be uninstalled.
Recommendations
https://wiki.crashtest-security.com/insecure-network-services-open-port-scanner
CONTACT US:
Crashtest Security GmbH
Leopoldstr. 21
80802 München
+49 (0) 89 215 41 665