WEB VULNERABILITY

SCANNING
REPORT
taxi
11 AUG 21 19:53 CEST
https://originaltaxi.com.br
1 Overview

1.1 Vulnerability Overview

Based on our testing, we identified 12 vulnerabilities.

critical 0

high 0

medium 7

low 0

informational 5

0 5

Figure 1.1: Total number of vulnerabilities for ”taxi”

STATE DESCRIPTION BASE SCORE

These findings are very critical whilst posing an immediate threat. Fix-
CRITICAL ing these issues should be the highest priority, regardless of any other 9 - 10
issues.

Findings in this category pose an immediate threat and should be fixed

HIGH 7 - 8.9
immediately.

Medium findings may cause serious harm in combination with other

MEDIUM security vulnerabilites. These findings should be considered during 4 - 6.9
project planning and be fixed within short time.

Low severity findings do not impose an immediate threat. Such find-

LOW ings should be reviewed for their specific impact on the application and 0.1 - 3.9
be fixed accordingly.

Informational findings do not pose any threat but have solely informa-
INFO 0
tional purpose.
1.2 Scanner Overview
1.2.1 Used Scanners
During the scan, the Crashtest Security Suite was looking for the following kinds of vulnerabilities and security issues:

✓ Server Version Fingerprinting ✓ SSL/TLS Session Resumption

✓ Web Application Version Fingerprinting ✓ SSL/TLS secure algorithm
✓ CVE Comparison ✓ SSL/TLS key size
✓ Heartbleed ✓ SSL/TLS trust chain
✓ ROBOT ✓ SSL/TLS expiration date
✓ BREACH ✓ SSL/TLS revocation (CRL, OCSP)
✓ BEAST ✓ SSL/TLS OCSP stapling
✓ Old SSL/TLS Version ✓ Security Headers
✓ SSL/TLS Cipher Order ✓ Content-Security-Policy headers
✓ SSL/TLS Perfect Forward Secrecy ✓ Portscan

1.2.2 Additional Scanners

The following scanners are also available in the Crashtest Security Suite but are only available for full scans. Please
change the environment of your project to ”FULL SCAN” in order to scan against all vulnerabilites.

 Boolean-based blind SQL Injection  Stored Cross-site scripting (XSS)

 Time-based blind SQL Injection  Cross-Site Request Forgery (CSRF)
 Error-based SQL Injection  File Inclusion
 UNION query-based SQL Injection  Directory Fuzzer
 Stacked queries SQL Injection  File Fuzzer
 Out-of-band SQL Injection  Command Injection
 Reflected Cross-site scripting (XSS)  XML External Entity Processing (XXE)

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 3/17
1.2.3 Status for executed Scanners

SCANNER PERCENTAGE STATUS

HTTP Header 100% 1 completed

CVE 100% 1 completed

Transport Layer Security (TLS/SSL) 100% 1 completed

Portscan 100% 1 completed

Fingerprinting 100% 1 completed

100% 5 completed

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 4/17
1.3 Findings Checklist
1.3.1 FINGERPRINTING

STATE FINDING RESULT NOTICED FIXED

5.3
The webserver is running nginx 1.16.1 (There are no known CVE issues for
this finding) 2 2

1.3.2 PORTSCAN

STATE FINDING RESULT NOTICED FIXED

0.0 Found open port ”443/tcp” with service name ”nginx” 2 2

0.0 Found open port ”80/tcp” with service name ”nginx” 2 2

0.0 Found open port ”22/tcp” with service name ”OpenSSH” 2 2

0.0 Found open port ”5432/tcp” with service name ”PostgreSQL DB” 2 2

1.3.3 SSL/TLS

STATE FINDING RESULT NOTICED FIXED

There is no cipher order configured. There should be a cipher order from

4.8 strongest to weakest to prevent clients from using weaker ciphers before
trying stronger ones first.
2 2

0.0
DNS Certification Authority Authorization (CAA) Resource Record / RFC6844:
Not offered 2 2

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 5/17
1.3.4 HTTPHEADER

STATE FINDING RESULT NOTICED FIXED

6.5
The Content-Security-Policy header is not set for URL https://originaltaxi.
com.br. 2 2

4.3
The X-Content-Type-Options header is not set for URL https://originaltaxi.
com.br. 2 2

4.8
The Strict-Transport-Security (HSTS) header is not set for URL https://
originaltaxi.com.br. 2 2

6.5 The X-Frame-Options header is not set for URL https://originaltaxi.com.br. 2 2

4.3 The Referrer-Policy header is not set for URL https://originaltaxi.com.br. 2 2

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 6/17
Contents
1 Overview 2
1.1 Vulnerability Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Scanner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Used Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2 Additional Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.3 Status for executed Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Findings Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.1 FINGERPRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.2 PORTSCAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.3 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.4 HTTPHEADER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Findings 8
2.1 SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 SSL Cipher Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.3 Missing SSL CAA record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 HTTPHEADER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Content-Security-Policy Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.3 X-Content-Type-Options Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.4 Missing HSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.5 X-Frame-Options Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.6 Referrer-Policy Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 FINGERPRINTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.2 Fingerprint Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 PORTSCAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.1 What is this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2 Portscanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com 7/17
2 Findings

2.1 SSL/TLS
2.1.1 What is this?
Transport Layer Security (TLS), more widely known by its predecessor Secure Sockets Layer (SSL), is a hybrid encryp-
tion protocol for secure data transmission over the Internet. It encrypts the communication between server and client.
The most obvious part of it is HTTPS, with which providers can secure all communications between their servers and
web browsers. This ensures that valuable information like usernames, passwords and credit card information can-
not be stolen by someone analyzing the network traffic. The “S” in HTTPS stands for SSL. For secure connection
with HTTPS a certificate is needed. Those certificates offer different levels of security and have a fixed start- and
expiration-date. To ensure a secure connection, webservers must use well configured certificates. With some mis-
configured certificates it is possible to bypass the encryption, others may be blocked by web browsers because they
are outdated or unknown.

2.1.2 SSL Cipher Order

Severity

Base Score: medium (4.8/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)

Exploitability: low (2.2/10)

Description
There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an
attacker can make use of an insecure SSL/TLS connection.

Finding
+ There is no cipher order configured. There should be a cipher order from strongest to weakest to prevent clients
from using weaker ciphers before trying stronger ones first.

How to fix
There is no cipher order for HTTPS ciphers set or the cipher order includes an insecure cipher. This means, that an
attacker can make use of in insecure SSL/TLS connection. In the SSL/TLS configuration, the allowed ciphers and their
order should be set to match secure values. More details on how to set these values can be found in the knowledge
database (see Recommendations)

Recommendations
https://wiki.crashtest-security.com/configure-ssl-cipher-order

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com 8/17
2.1.3 Missing SSL CAA record
Severity

Base Score: informational (0/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: informational (0/10)

Exploitability: low (3.9/10)

Description
The domains DNS zone does not specify any Certification Authority Authorization (CAA) record. This means that all
certificate authorities (CAs) are allowed to issue certificates for this domain. To decrease the risk of rogue certificates,
append the CAA settings to the DNS records.

Finding
+ DNS Certification Authority Authorization (CAA) Resource Record / RFC6844: Not offered

How to fix
The domains DNS zone does not specify any Certification Authority Authorization (CAA) record. This means that all
certificate authorities (CAs) are allowed to issue certificates for this domain. To decrease the risk of rogue certificates,
the CAA setting needs to be added to the DNS records. More details on how to set the CAA setting can be found in
the knowledge database (see Recommendations)

Recommendations
https://wiki.crashtest-security.com/enable-missing-ssl-caa-record

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 9/17
2.2 HTTPHEADER
2.2.1 What is this?
When visiting a website the response from the server will include HTTP response headers. These headers tell the
browser how to behave while the user is interacting with the website. Modern browsers support a variety of security
headers, which are part of the HTTP response headers. This scanner will check if the recommended security headers
are set and will also verify if the headers are configured in a secure way.

2.2.2 Content-Security-Policy Header

Severity

Base Score: medium (6.5/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)

Exploitability: low (3.9/10)

Description
The Content-Security-Policy header tells the browser which domains are whitelisted to download further resources
such as scripts, images or stylesheets from. This can prevent various XSS and other Cross-Site-Scripting attacks.

Finding
+ The Content-Security-Policy header is not set for URL https://originaltaxi.com.br.

How to fix
Configure the Content-Security-Policy header in a way that it only allows loading resources from trusted resources
such as ’self’. Do not include ’unsafe-eval’ or ’unsafe-inline’ in order to prevent direct injections into the website.

Recommendations
https://wiki.crashtest-security.com/enable-security-headers

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 10/17
2.2.3 X-Content-Type-Options Header
Severity

Base Score: medium (4.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)

Exploitability: low (2.8/10)

Description
The X-Content-Type-Options prevents the browser from trying to detect MIME-types on downloaded files. This pro-
tects against attacks in cases where a malicious file is offered with an unsuspicious MIME-type.

Finding
+ The X-Content-Type-Options header is not set for URL https://originaltaxi.com.br.

How to fix
Set the X-Content-Type-Options header to ’nosniff’ in order to prevent the browser from detecting MIME-types based
on file content.

Recommendations
https://wiki.crashtest-security.com/enable-security-headers

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 11/17
2.2.4 Missing HSTS
Severity

Base Score: medium (4.8/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (2.5/10)

Exploitability: low (2.2/10)

Description
The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections, which pre-
vents downgrade attacks to an insecure HTTP connection.

Finding
+ The Strict-Transport-Security (HSTS) header is not set for URL https://originaltaxi.com.br.

How to fix
The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This pre-
vents downgrade attacks to an insecure HTTP connection. Depending on the used SSL certificate and the webserver
certain configurations have to be changed. More details on how to enable HSTS can be found in the knowledge
database (see Recommendations)

Recommendations
https://wiki.crashtest-security.com/enable-hsts

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 12/17
2.2.5 X-Frame-Options Header
Severity

Base Score: medium (6.5/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (3.6/10)

Exploitability: low (2.8/10)

Description
The X-Frame-Options header declares whether this site may be embedded as a frame into other websites. If this
header is not configured correctly, your application can be embedded into third party websites which makes it vulner-
able for clickjacking attacks.

Finding
+ The X-Frame-Options header is not set for URL https://originaltaxi.com.br.

How to fix
Configure the X-Frame-Options header as ’deny’ to prevent it to be embedded at all. The values ’sameorigin’ or ’allow-
from DOMAIN’ can be used to allow it to be embedded on certain websites while forbidding embedding on other
websites

Recommendations
https://wiki.crashtest-security.com/enable-security-headers

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 13/17
2.2.6 Referrer-Policy Header
Severity

Base Score: medium (4.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)

Exploitability: low (2.8/10)

Description
The Referrer-Policy header defines how much information about the referrer is sent, when the user clicks on a link. A
misconfiguration or missing header may leak sensitive information to third party websites that are visited by the click
on a link.

Finding
+ The Referrer-Policy header is not set for URL https://originaltaxi.com.br.

How to fix
Set the Referrer-Policy header to a secure value such as ’strict-origin-when-cross-origin’ to overwrite the Referer header
with your domain instead of the full path when clicking on external links and keep the Referer for internal links, but only
when the connection is not downgraded from HTTPS to HTTP.

Recommendations
https://wiki.crashtest-security.com/enable-security-headers

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 14/17
2.3 FINGERPRINTING
2.3.1 What is this?
The responses a server sends to its client often contain more information then necessary. This surplus of information
makes it possible to draw conclusions about the servers software or used programming languages. It could reveal
the version of the web application and the libraries in use. The analysis of these information is called fingerprinting.
Based on fingerprinting, an attacker can get valuable input to plan and carry out his attack. Without it, an attacker
is attacking blindly. Whenever a special version of a server or a web application is vulnerable for an attack, crawlers
search the web for traces of this version and start an attack if they found one. So it is likely that someone gets attacked
just because they leak these information, and therefore show that your application or server is vulnerable.

2.3.2 Fingerprint Web Server

Severity

Base Score: medium (5.3/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: low (1.4/10)

Exploitability: low (3.9/10)

Description
The webserver publicly provides information about itself such as the name or version. This opens attackers the pos-
sibility to look for exploits specifically targetting the webserver in its exact version.

Finding
+ The webserver is running nginx 1.16.1 (There are no known CVE issues for this finding)

How to fix
The amount of information a server is sharing can be set in its configuration files. Depending on the used webserver,
the configuration file can be found on different locations (see Recommendations to find the exact location). In most
cases it is sufficient to change one or two settings to avoid publishing unnecessary information. After saving the
changes, it is recommended to restart or reload the webserver to activate the changes.

Recommendations
https://wiki.crashtest-security.com/server-version-fingerprinting

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 15/17
2.4 PORTSCAN
2.4.1 What is this?
A port is a kind of door on the server that can be used to connect to a specific service. For a webserver the port 80 and
port 443, which are for HTTP/HTTPS, are most likely open to serve the website to the users. Other ports should be
closed if they are not needed for any service. The portscanner tests the webserver with a SYN scan for a wide range
of possibly open ports and reports them back. If there are any other open ports except of port 80 and port 443, they
should be blocked by the firewall if they are not needed.

2.4.2 Portscanner
Severity

Base Score: informational (0/10) All values are based on the Common Vulnerability
Scoring System v3.
Impact: informational (0/10)

Exploitability: informational (0/10)

Description
Unneeded open ports on the webserver opens a large attack surface to a malicious user. This can be used to find
unmaintained and possibly vulnerable network services that can be targeted.

Finding
+ Found open port ”443/tcp” with service name ”nginx”
+ Found open port ”80/tcp” with service name ”nginx”
+ Found open port ”22/tcp” with service name ”OpenSSH”
+ Found open port ”5432/tcp” with service name ”PostgreSQL DB”

How to fix
Unnecessarily open ports can be closed by setting up a firewall and block connections to all ports except of those that
are needed by the server. Furthermore services that are not needed should be uninstalled.

Recommendations
https://wiki.crashtest-security.com/insecure-network-services-open-port-scanner

Crashtest Security GmbH taxi | 11 Aug 21 | 19:53 CEST

Leopoldstr. 21, 80802 München, Germany
https://crashtest-security.com Page 16/17
Crashtest Security is a German IT security
company specialized in automated web
application security testing. The fully
automated penetration test lets developers
discover vulnerabilities in real-time and
supports the remediation through an
integrated knowledge base.

CONTACT US:
Crashtest Security GmbH
Leopoldstr. 21
80802 München
+49 (0) 89 215 41 665