Scan Remediation

Report

Generated by Burp Suite Enterprise Edition | 2022-06-28 11:03 AM
Site name:
https://example.com
Scanned:
Start:
2022-06-11 5:00 PM
End:
2022-06-12 3:49 AM
Duration:
10h 48m
Status:
Completed
Included URLs:
https://example.com
Excluded URLs:
https://test.example.com
Scan configurations:
Never stop crawl due to application errors
Never stop audit due to application errors
Audit coverage - maximum
Application logins:
Testing Credentials
Reference:

Issues by severity

High: 1
Medium: 0
Low: 2
Information: 26
Total issues found: 29

Scan statistics

Total scanned URLs: 62
URLs with errors: 46
Requests made: 921159
Network errors: 205

Issues found on https://example.com

URLs By issue type Severity Confidence More detail
Cross-origin resource sharing: arbitrary origin trusted [1]
High Certain >>
Strict transport security not enforced [1]
Low Certain >>
Cross-origin resource sharing: unencrypted origin trusted [1]
Low Certain >>
TLS certificate [1]
Info Certain >>
Cross-origin resource sharing [1]
Info Certain >>
WAF Detected: redacted [1]
Info Certain >>
Cookie scoped to parent domain [1]
Info Certain >>
Email addresses disclosed [3]
Info Certain >>
Info Certain >>
Info Certain >>
Robots.txt file [1]
Info Certain >>
Cacheable HTTPS response [1]
Info Certain >>
User agent-dependent response [7]
Info Firm >>
Info Firm >>
Info Firm >>
Info Firm >>
Info Tentative >>
Info Tentative >>
Info Tentative >>
Cross-site request forgery [1]
Info Tentative >>

Issues found on https://example.com

URLs By issue type Severity Confidence More detail
Cookie scoped to parent domain [9]
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>
Info Certain >>

More details for https://example.com

Cross-origin resource sharing: arbitrary origin trusted

/redacted

Issue detail:

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.

The application allowed access from the requested origin https://llqvfwgbsdau.com

Issue background

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.

If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers.

Issue remediation

Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.

References

Vulnerability classifications

Request:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=daed328c5bcfbc7d405794c7b97140aabba4ae88-1654942102 Origin: https://llqvfwgbsdau.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 4685 https://example.com

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 10:08:23 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://llqvfwgbsdau.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 71998b93d9b330a4-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

Strict transport security not enforced

/redacted

Issue detail:

This issue was found in multiple locations under the reported path.

Issue background

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Issue remediation

The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.

Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.

References

Vulnerability classifications

Request:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=239b7646d8e83ceff3a082b1f62dad581f4af8c3-1654931034 Origin: https://example.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 5077 https://example.com

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:03:54 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 71987d577be960bf-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

Cross-origin resource sharing: unencrypted origin trusted

/redacted

Issue detail:

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request which trusts websites accessed using unencrypted communications.

Issue background

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

If a site allows interaction from an origin that uses unencrypted HTTP communications, then it is vulnerable to an attacker who is in a position to view and modify a user's unencrypted network traffic. The attacker can control the responses from unencrypted origins, thereby injecting content that is able to interact with the application that publishes the policy. This means that the application is effectively extending trust to all such attackers, thereby undoing much of the benefit of using HTTPS communications.

Issue remediation

Only trust origins that use encrypted HTTPS communications.

References

Vulnerability classifications

Request:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=ffba0631a3cf20c7fbba942d6291ab754c7fd041-1654934772 Origin: https://example.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 4720 https://example.com

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 08:06:13 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 7198d89ece7d08ff-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

TLS certificate

/

Issue detail:

The server presented a valid, trusted TLS certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  redacted.com, *.kr.redacted.com
Issued by:  redacted Inc ECC CA-3
Valid from:  Mon Apr 18 00:00:00 GMT 2022
Valid to:  Tue Apr 18 23:59:59 GMT 2023

Certificate chain #1

Issued to:  redacted Inc ECC CA-3
Issued by:  Baltimore CyberTrust Root
Valid from:  Mon Jan 27 12:48:08 GMT 2020
Valid to:  Tue Dec 31 23:59:59 GMT 2024

Certificate chain #2

Issued to:  Baltimore CyberTrust Root
Issued by:  Baltimore CyberTrust Root
Valid from:  Fri May 12 18:46:00 GMT 2000
Valid to:  Mon May 12 23:59:00 GMT 2025

Issue background

TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.

It should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.

References

Vulnerability classifications

Cross-origin resource sharing

/redacted

Issue detail:

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.

Issue background

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access.

Issue remediation

Any inappropriate domains should be removed from the CORS policy.

References

Vulnerability classifications

Request:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=803af1a277c706c58c208ae27a67bd73f7b31e76-1654934757 Origin: https://example.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 4727 https://example.com

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 08:06:00 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 7198d84b088708ff-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

WAF Detected: redacted

/redacted

Issue origin

This issue was generated by the extension: WAFDetect

Issue detail:

Fingerprint Details:

WAF Type : redacted
WAF tech. details : Cloud-based CDN, WAF & DDoS prevention
Reference : https://www.redacted.com
Matching regex : ^Server: redacted
Highlighting keyword : redacted
Header-only search? : true

Request:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=419dce148f6ccf578d6a43bbb2c10373caa4b71a-1654931022 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:03:42 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=3744 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-ea0" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 2 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Age: 188 Expect-Ct: max-age=604800, report-uri="https://report-uri.redacted.com/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.redacted.com\/report\/v3?s=zWSKP8pWrwW1sL1b7HEL93ntZ9UEq75YHco1SqKNm0oze3lJUaLse696k3D9qGAqiPmfrYrvh9q%2BzFRxAiHqD5NMsusj1bDl97%2FDe0MUS02nqj560us35UNMX49fpFPbQ5Ok2dyD"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71987d0d9cbf60bf-SEA https://example.com

Cookie scoped to parent domain

/robots.txt

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /robots.txt HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:00:32 GMT Content-Type: text/plain Last-Modified: Mon, 18 Apr 2022 22:57:57 GMT Etag: W/"625decf5-43" Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' static.redactedinsights.com 'unsafe-eval' https://*.smartlook.com https://*.smartlook.cloud; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self' https://*.smartlook.com https://*.smartlook.cloud; frame-ancestors 'none'; form-action 'self'; Cache-Control: no-store X-Envoy-Upstream-Service-Time: 1 X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer X-Dns-Prefetch-Control: off Cf-Cache-Status: MISS Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=2Nm81z8201Ew37Q7eTK5zAFr6WzdIiSBDODDHSj7vi%2FLve161cFN%2B7cuS7kE2gpwyzI%2FNidAGvUSI2z9bFA8Ql9wyHjx%2BTfiht6A7Pw%2F2Qwp8a9TnQoA9J2q9ZtmRzD5grCJSUSY"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=3ae282485f38a38817aaed77ac83bc9b6dea168c-1654930832; path=/; domain=.redacted.com; HttpOnly; Secure; SameSite=None Server: redacted Cf-Ray: 71987863dc0d08a5-SEA # https://www.robotstxt.org/robotstxt.html User-agent: * Disallow:

Email addresses disclosed

/redacted

Issue detail:

The following email addresses were disclosed in the response:
  • fake-user@testing.com
  • fake-admin@testing.com
  • support@redacted.com
  • contact@redacted.com
  • support@xijiabrainmap.com
  • u4E3Asupport@xijiabrainmap.com
  • u81F3support@xijiabrainmap.com
  • u81F3contact@xijiabrainmap.com

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.

References

Vulnerability classifications

Request:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:00:34 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=1056677 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-101fa5" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 4 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=vRqxYM8JkDo2GbO5Q9oa5Cq9wpBPHZxKtNH2bkqem%2Fu9XdfaxHKOGrOUSoUCwwOwKxL1YQqxWBfXnWi1WWp4oZmPnkEyyWj1ZbKMGUOYBxhWgbHcpRI5%2BwGdG%2Fh0ZRc%2BLZ7%2B6Pi8"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 719878719aa608a5-SEA https://example.com

Email addresses disclosed

/redacted

Issue detail:

The following email addresses were disclosed in the response:
  • privacy@redacted.com
  • support@redacted.com
  • u81F3contact@xijiabrainmap.com
  • u81F3support@xijiabrainmap.com
  • u8FC7contact@xijiabrainmap.com

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.

References

Vulnerability classifications

Request:

GET /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=8d467a9836d19fd26dfe28fbf19907453cba442d-1654930838 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:01:40 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=2292583 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-22fb67" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 1 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=bhtutj7FNAQJrPT0XV2e6Se1viu%2Bu1EgoA7kr7db2%2BAAicKCaiMX3jrhhcTv9eL2Fi5F2V5CwzUalIAfGUaeCGD6h2soxZ1zS3mxVWohIu%2F%2F5oAu1TkBUqOeAk8oyMG%2F%2FFYPrq9%2B"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71987a0b0a6f681d-SEA https://example.com

Email addresses disclosed

/redacted

Issue detail:

The following email address was disclosed in the response:
  • support@redacted.com

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

Consider removing any email addresses that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

To reduce the quantity of spam sent to anonymous mailbox addresses, consider hiding the email address and instead providing a form that generates the email server-side, protected by a CAPTCHA if necessary.

References

Vulnerability classifications

Request:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=074289c7818d20a3c6748bac71c59f2e8bf6e439-1654931032 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:03:52 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=583995 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-8e93b" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 1 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Age: 198 Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=OMuLXOAyGzl4KTZKDoq8FKklHYnVo2pq7HUhdcO4mTwQ7WoSmyc5B76gc29NAmDTEwkY94AhoS9am1UmhteJug60L9%2BCP4kVpFa%2F8qtW44bT9uncd2%2BNpX700x1%2FSJImbVfAmeXB"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71987d4c1e4960bf-SEA https://example.com

Robots.txt file

/robots.txt

Issue detail:

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.

Vulnerability classifications

Request:

GET /robots.txt HTTP/1.1 Host: https://example.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 200 OK Date: Sat, 11 Jun 2022 07:03:58 GMT Content-Type: text/plain Connection: close last-modified: Mon, 18 Apr 2022 22:57:57 GMT etag: W/"625decf5-43" cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp content-security-policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' static.redactedinsights.com 'unsafe-eval' https://*.smartlook.com https://*.smartlook.cloud; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self' https://*.smartlook.com https://*.smartlook.cloud; frame-ancestors 'none'; form-action 'self'; cache-control: no-store x-envoy-upstream-service-time: 1 x-content-type-options: nosniff x-frame-options: DENY strict-transport-security: max-age=63072000; includeSubDomains; preload x-xss-protection: 1; mode=block referrer-policy: no-referrer x-dns-prefetch-control: off CF-Cache-Status: MISS Expect-CT: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=ynnvsK4T2prb16%2Fo3RPBv0jEAiLb7OGY1NTq2ExfJILS8vae2%2B4X79suO6i7bf5AmymMXmPcqotnf%2FEytPM9Tde8UN9dYIBNm%2BlOenSRurJxBX1SFBkQivzEPfqMR3b16SbatiYw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=7b3900cfcdaf23aa1f227837917f50cb19399621-1654931038; path=/; domain=.redacted.com; HttpOnly; Secure; SameSite=None Server: redacted CF-RAY: 71987d6f3a8c0899-SEA Content-Length: 67 # https://www.robotstxt.org/robotstxt.html User-agent: * Disallow:

Cacheable HTTPS response

/

Issue detail:

This issue was found in multiple locations under the reported path.

Issue background

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

Applications should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

  • Cache-control: no-store
  • Pragma: no-cache

References

Vulnerability classifications

Request 1:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=239b7646d8e83ceff3a082b1f62dad581f4af8c3-1654931034 Origin: https://example.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 5077 https://example.com

Response 1:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:03:54 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 71987d577be960bf-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

Request 2:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=fff14e8fa4018dd72cbb80e5cd5b011a7248f150-1654930970 Origin: https://example.com sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 5379 https://example.com

Response 2:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:02:50 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 71987bc429b739c0-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

Request 3:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=6eb94ef0c78d0776ac6d858be948c98a942e2928-1654931030 Origin: https://example.com Accept: */* content-type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 3791 https://example.com

Response 3:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:03:51 GMT Content-Type: text/plain Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Methods: POST,OPTIONS Access-Control-Max-Age: 86400 Vary: Origin Access-Control-Allow-Credentials: true Server: redacted Cf-Ray: 71987d40f85860bf-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 07:32:34 GMT Content-Type: application/json Retry-After: 3006 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=RJ%2FLblvlEwFsDazt1ays223SPw4TUGQ6m6yNvZPbNTooTY2tWTbj7PoXF4z2nI1sfyLLPN7%2Fo2tekNO0e4Lb47%2FBuPB8EeUhnxfCNBELB9uMVYQ3EQnmpN1TLj0fz7apA2dlQaL2"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198a750787a27ee-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=5deb9f366c412f14053591956654f073b61e26e8-1654934727 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 08:05:28 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=1056677 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-101fa5" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 4 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Age: 25 Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=YLtpwWxvA39%2BiQj%2BhHipVuV%2B4hDnBSau%2FCOvAtRkCtpVrQ8VinDRCKIVREFPXFUKS0EATeaTrgURTt%2Bwgas6IU83S35K4mI2mMuKq%2BpDVo2ZCBwh%2Bd736Nz51OTzezKBlA%2Fr9H7Y"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=2edd2ade6bfe0221a0dda2561b62f8ecb736fba6-1654934728; path=/; domain=.redacted.com; HttpOnly; Secure; SameSite=None Server: redacted Cf-Ray: 7198d78809d508ff-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 08:09:22 GMT Content-Type: application/json Retry-After: 797 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=yKrg5BohMh0gtqakk8YPrEBpg7HBfjTL2z8btjXKdrOKvapgujhdDesRNuCm5q0H2n4AQ1Iv8ecdLGmy0L5ZGCLfuOKl%2FLSuv5RF1kmonPxQgGwuxMDV34LaBSJ0sxZNEKWYMMDG"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198dd3cce8b13aa-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 08:19:14 GMT Content-Type: application/json Retry-After: 2842 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=f34GPKSkR279Sg8xQQ6EYiUhpgsWheW78Jr9xSe7ZgL3K3Qp1nivcC4%2BUDyE%2Fz1n6zWSGCzy1%2BIdsUrCmGOL41mRR2WAXanK8bnPeYFPAZLHFwEWs1KZf%2B4%2BowfhtuP8w4rwdhDE"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198ebb16865e38e-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 09:20:53 GMT Content-Type: application/json Retry-After: 2818 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=Zs8esUH4FsawFLIKwTgA41O6gHo8yk6xjp5AfOcZakslERBcR8g2iDrS6ZX8Nh%2FNaUCub0RyvNUUKrI9lMnTKvzp0kZ%2FqnlkypZpJ8s8oSkusBnbwAE9wR7DEvlbclyt%2BpvjHEb2"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 719945feec8930b3-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 09:59:52 GMT Content-Type: application/json Retry-After: 469 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=XfhO0F6GUs3XPeA%2FQtW7DeE9yPaC%2BR2UgUQ9wKTfCiIE65OhVd7yI6R0mrESv%2Fwvi%2FZgXQwu4qJd4sW7E7Q%2FJXYSzMsoL6UrFvEF7Ol07igCNqq8aT92HUCanVvTumb1WH1dRyfw"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71997f197f2408ad-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 08:10:07 GMT Content-Type: application/json Retry-After: 752 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=q4E1umE2icia9bteAeOMZBe7zKjDpnySIZ3kaJ%2BC8T09V5bUa0tjbLZPUSyo0fwf4kgC3wbR9hyBrsTtHIj22bQjmrhdDMyFIT0C4soGiEAwN8b8pLdFLHEaPPmgU%2Bxdqx2XR5da"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198de55ed5013aa-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 08:19:26 GMT Content-Type: application/json Retry-After: 2831 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=PaCCX51GD5LQcfV39thxYDFqKDTkny2s8t%2FpjyHlomBbTIu45mh5i1fp20%2FrmtQB5KLSA8y1RZNx5uXRsjD9OqDJg%2F7YVi%2Fa5svxPlnvdsQqZ1Ki7dHd5fRgvjo5aeBSeZU7K%2Ba%2B"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198ebfbfb12e38e-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:22:36 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=20194 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-4ee2" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 0 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Age: 1322 Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=ikK%2FjEBZAL9defkuMUuqDGzJhyOtxNdPIrz8S6Wbgjb9k0oqsRfk1FY7fxUS39oGKGHRCGEY1GEit9b1CEesILnYz2oYlLj3vK2cA7Szt11BC4gG5MUSI%2FpO%2BsD4kYYlYFsv318U"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 719898b76abc39e3-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 07:41:32 GMT Content-Type: application/json Retry-After: 1410 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=L2WFTibBpt%2BDhz%2FM6xUsroO7aDsCqxemxbtfR5S2iCsjTRaytUG%2FkpoCM14Y90hhfm8KiD88byOP3wtdTPNURqNUE18gjpH7cEXpn2yhCOZ9STqt6Hgcwd4dsUUfw4Qgt3xxCBTK"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 7198b477ff230905-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 09:07:48 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=1049193 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-100269" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 2 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=cCFLlw6n5wW3Ldjjl6LuyTV8wSe2NB%2BTvbYZ53oMUMIcG3zPtSdA%2F%2BiVsFefROIRswr1sqVCHiWhGCsJhKycCtU7E2r88BYZodxu7l8wCz98bmxHdsBkYlw%2FRLnZi1J17M0aG5T6"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 719932cea804139a-SEA https://example.com

Request 2:

GET /redacted?94ef82ad72dfadb7b729 HTTP/2 Host: https://example.com Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 09:20:42 GMT Content-Type: application/json Retry-After: 2818 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=chRQ6%2BPF07VW3O%2B6vBiO3yqbR0IOtbfwIaFIaZhYUIc%2BJ6LqK09OIF4tLv4GV688UAYkyazUxuoKSnpPydJ5Hn0GUgRAiVx9LE2x6icFWbKHCyvnkQNcfO%2FL6hV2%2FOdai2qrPy%2Bq"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 719945bc0d4830b3-SEA https://example.com

User agent-dependent response

/redacted

Issue description

Application responses may depend systematically on the value of the User-Agent header in requests. This behavior does not itself constitute a security vulnerability, but may point towards additional attack surface within the application, which may contain vulnerabilities.

This behavior often arises because applications provide different user interfaces for desktop and mobile users. Mobile interfaces have often been less thoroughly tested for vulnerabilities such as cross-site scripting, and often have simpler authentication and session handling mechanisms that may contain problems that are not present in the full interface.

To review the interface provided by the alternate User-Agent header, you can configure a match/replace rule in Burp Proxy to modify the User-Agent header in all requests, and then browse the application in the normal way using your normal browser.

Vulnerability classifications

Request 1:

GET /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=8d467a9836d19fd26dfe28fbf19907453cba442d-1654930838 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response 1:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 09:13:49 GMT Content-Type: application/javascript Cf-Bgj: minify Cf-Polished: origSize=2292583 Cache-Control: public, max-age=3600, s-maxage=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; media-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self'; font-src 'self'; manifest-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Etag: W/"625ded12-22fb67" Last-Modified: Mon, 18 Apr 2022 22:58:26 GMT Referrer-Policy: no-referrer Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Envoy-Upstream-Service-Time: 1 X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cf-Cache-Status: HIT Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=okxX%2FMljEx19SvTpIPCbfs6HvHM190lKPe8L586%2FbLJZVBx3b18wX8cvEfdTyNFluurNkt6zK%2BKSI84Ch3CNuRtnC6J6UIPetbGv55WMjnDVPFeqzFWRwboNxbRnOq5dsKos10Wj"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71993ba43aae3089-SEA https://example.com

Request 2:

GET /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=8d467a9836d19fd26dfe28fbf19907453cba442d-1654930838 sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Connection: close Cache-Control: max-age=0

Response 2:

HTTP/2 429 Too Many Requests Date: Sat, 11 Jun 2022 09:22:58 GMT Content-Type: application/json Retry-After: 2683 Cache-Control: no-cache Expect-Ct: max-age=604800, report-uri="https://redacted/redacted/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=dEEtpbiEmmeZY0lUd6wmrN5rAobfkW8a6OXkOTZtaDHtG0DV04ignJ8ekAzI04sCFDml0BJW3LeC8XugVpcVPr5xO%2B8WXrgLBumMdZj9oo%2BH1OUYz8KNrMpyREuNkmMX2T1bgJpp"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: redacted Cf-Ray: 71994908ee1a5fe6-SEA

Cross-site request forgery

/redacted

Issue detail:

The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however it may facilitate exploitation of other vulnerabilities affecting application users.

Issue background

Cross-site request forgery (CSRF) vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of their origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application. For a request to be vulnerable to CSRF, the following conditions must hold:

  • The request can be issued cross-domain, for example using an HTML form. If the request contains non-standard headers or body content, then it may only be issuable from a page that originated on the same domain.
  • The application relies solely on HTTP cookies or Basic Authentication to identify the user that issued the request. If the application places session-related tokens elsewhere within the request, then it may not be vulnerable.
  • The request performs some privileged action within the application, which modifies the application's state based on the identity of the issuing user.
  • The attacker can determine all the parameters required to construct a request that performs the action. If the request contains any values that the attacker cannot determine or predict, then it is not vulnerable.

Issue remediation

The most effective way to protect against CSRF vulnerabilities is to include within relevant requests an additional token that is not transmitted in a cookie: for example, a parameter in a hidden form field. This additional token should contain sufficient entropy, and be generated using a cryptographic random number generator, such that it is not feasible for an attacker to determine or predict the value of any token that was issued to another user. The token should be associated with the user's session, and the application should validate that the correct token is received before performing any action resulting from the request.

An alternative approach, which may be easier to implement, is to validate that Host and Referer headers in relevant requests are both present and contain the same domain name. However, this approach is somewhat less robust: historically, quirks in browsers and plugins have often enabled attackers to forge cross-domain requests that manipulate these headers to bypass such defenses.

References

Vulnerability classifications

Request:

POST /redacted HTTP/2 Host: https://example.com Cookie: __cfruid=d1db725338a0a9a40800e81127effa72b4e1cbde-1654931039 Origin: https://example.com sec-ch-ua: sec-ch-ua-mobile: ?0 Accept: */* sec-ch-ua-platform: Content-Type: application/json Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 0

Response:

HTTP/2 200 OK Date: Sat, 11 Jun 2022 07:04:01 GMT Server: redacted Cf-Ray: 71987d814c2260bf-SEA X-Frame-Options: DENY X-Content-Type-Options: nosniff

More details for https://example.com

Cookie scoped to parent domain

/

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET / HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:00:33 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:00:33 GMT Location: https://example.com/ Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=%2FUALE32sIebIUo0DOfNh0d0AVf5FfGomVqTAAlbT%2FdyKoCo1Cr6vwT9slKXiN9Ru5jUdIU4qjqv0Fyn1EpWNLtl5fgwns8tSuUzMKsUw8sCwyfRkEFnzHfeBobZZPpuyIaPAXsrR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=d75817bc7ad6710ac75db6ba48f6fc37f6551137-1654930833; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 7198786d5cb8091d-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:01:42 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:01:42 GMT Location: https://example.com/help Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=qCzD4g%2F1kw7nbUSLpSh0sZ853HE6ito40XIvo%2FH%2BQhbpe6Uze7RDJ3zIVdgeyhfcckimNlr08Yf5F6UtGxxIUHP2pXethA72jAjfSVSQPcrYYselewPcD77kfWRFfDVkpHVlmKbY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=b4ed5cee943ab8a032d98b9afb748493ad5508af-1654930902; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987a1a99db3a0e-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:01:43 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:01:43 GMT Location: https://example.com/redactedSet-Cookie: __cfruid=f6065aa88005db6a289e73f76240abfef21a0126-1654930903; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987a23eb0b0927-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:01:45 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:01:45 GMT Location: https://example.com/redactedSet-Cookie: __cfruid=b7ee4175eb89f8f65a910c14e5e855b2fd3a1516-1654930905; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987a2e0a7f5fbc-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:02:48 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:02:48 GMT Location: https://example.com/redactedSet-Cookie: __cfruid=692fabd448314c08d72b2f148b1c1328793fe491-1654930968; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987bb8dde327ea-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:02:46 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:02:46 GMT Location: https://example.com/redactedSet-Cookie: __cfruid=7ef2437b49ccb592ab22c9631737966ef28f6125-1654930966; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987bae8cb3610e-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:00:37 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:00:37 GMT Location: https://example.com/login Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=%2F%2B0j4iAiIhKtlxfKUYRRvGBw1A3CoB8kliM2XyzsJvn3k%2BclSaArx8aLpFKX9A4mzLetuBJjeizmhrt5uLVNbpHqg5OIa%2B%2By8ci4AnmMoFVaR2izPeSz3z7iifpcca9GK%2BnkBk4N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=d8bd325d60ec6072ebaf4ebdf5385a328bf88620-1654930837; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 719878863c0f611a-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:00:38 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:00:38 GMT Location: https://example.com/query Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=GITu%2FNkeUJ7i4GNvI8eqYIL8PI8PhziTbWEkjnRpK5ZqLqoUhNYcNBik1jzvHozRQg91RPLgFSl4Xdh1Yc6z%2Bch1htbvWD48lpVK4FO%2BLrybGXSUNTc7iDGy1yRu3745H7hflz4W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=8d467a9836d19fd26dfe28fbf19907453cba442d-1654930838; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 7198788f9990611a-SEA Content-Length: 0

Cookie scoped to parent domain

/redacted

Issue detail:

The following cookie was issued by the application and is scoped to a parent of the issuing domain:
  • __cfruid
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain, and on IE/Edge to subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems that support those applications.

Vulnerability classifications

Request:

GET /redacted HTTP/1.1 Host: https://example.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Connection: close Cache-Control: max-age=0

Response:

HTTP/1.1 301 Moved Permanently Date: Sat, 11 Jun 2022 07:01:40 GMT Connection: close Cache-Control: max-age=3600 Expires: Sat, 11 Jun 2022 08:01:40 GMT Location: https://example.com/settings Report-To: {"endpoints":[{"url":"https:\/\/redacted.com\/report\/v3?s=TOW3kVkXp0bQxMYOOZT7OMzLRtYV6%2FXOyYqp9xIhzJLiSAhal9Kjiko6HpWytDihL7fQx3esZQiCibP5337D%2FSZKaZ1IOXiFT10xheOjwURaL6hW%2BzOcUa0AArPFOf54aerC8ZdK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Set-Cookie: __cfruid=c5070c5ee4b26bb8d7c32b51ade8b2dbe7f31828-1654930900; path=/; domain=.redacted.com; HttpOnly Server: redacted CF-RAY: 71987a1159355fda-SEA Content-Length: 0