PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Send a file File manager PDF Toolbox Search Help Contact



DdosReport .pdf



Original filename: DdosReport.pdf
Title: ZAP Scanning Report
Author: godwa_coder

This PDF 1.7 document has been generated by / Microsoft: Print To PDF, and has been sent on pdf-archive.com on 24/06/2016 at 21:25, from IP address 101.212.x.x. The current document download page has been viewed 393 times.
File size: 290 KB (7 pages).
Privacy: public file




Download original PDF file









Document preview


ZAP Scanning Report
Summary of Alerts
Risk Level

High
Medium
Low
Informational

Number of Alerts
0
1
5
0

Alert Detail
Medium (Medium)

X-Frame-Options Header Not Set

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution

http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
16
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set
on all web pages returned by your site (if you expect the page to be framed only by
pages on your server (e.g. it's part of a FRAMESET) then you'll want to use
SAMEORIGIN, otherwise if you never expect the page to be framed, you should use
DENY. ALLOW-FROM allows specific websites to frame the web page in supported
web browsers).
At "High" threshold this scanner will not alert on client or server error responses.

Description

Other information
Reference
Low (Medium)
Description

X-Frame-Options header is not included in the HTTP response to protect against
'ClickJacking' attacks.

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-xframe-options.aspx
Cookie set without HttpOnly flag

A cookie has been set without the HttpOnly flag, which means that the cookie can
be accessed by JavaScript. If a malicious script can be run on this page then the
cookie will be accessible and can be transmitted to another site. If this is a session
cookie then session hijacking may be possible.

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL

http://www.icap.org.pk
PHPSESSID=367f2cfd505e07221281c50a9f5c4b26; path=/
PHPSESSID=367f2cfd505e07221281c50a9f5c4b26; path=/
http://www.icap.org.pk/robots.txt
PHPSESSID=0921ee8b140f8ca634eac6e65bfb9ae2; path=/
PHPSESSID=0921ee8b140f8ca634eac6e65bfb9ae2; path=/
http://www.icap.org.pk/wp-admin/
PHPSESSID=3ce2123d40e3170af9a4150a4bdc1202; path=/
PHPSESSID=3ce2123d40e3170af9a4150a4bdc1202; path=/
http://www.icap.org.pk/wp-admin/admin-ajax.php
PHPSESSID=7b1c07d7772299df2ac5456292fe3a4f; path=/
PHPSESSID=7b1c07d7772299df2ac5456292fe3a4f; path=/
http://www.icap.org.pk
PHPSESSID=8dc193824a1c1f89d5f317a1d831ae0a; path=/
PHPSESSID=8dc193824a1c1f89d5f317a1d831ae0a; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
PHPSESSID=1c6527b98c6cb6b09c98dbcc5c329b95; path=/
PHPSESSID=1c6527b98c6cb6b09c98dbcc5c329b95; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-content/plugins
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-content/plugins
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_logged_in_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun,
21-Jun-2015 07:09:41 GMT; path=/
wordpress_logged_in_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun,
21-Jun-2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpressuser_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpressuser_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
WASC Id

http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpresspass_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpresspass_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_test_cookie=WP+Cookie+check; path=/
wordpress_test_cookie=WP+Cookie+check; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-admin
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-admin
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-admin
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-admin
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-content/plugins
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-content/plugins
http://www.icap.org.pk/icap/contact-us/
PHPSESSID=da910d2e9167f204741ff9aabc0c713a; path=/
PHPSESSID=da910d2e9167f204741ff9aabc0c713a; path=/
http://www.icap.org.pk/become-ca/
PHPSESSID=3a6ac2073bbdd1b47f11659797ce2fcb; path=/
PHPSESSID=3a6ac2073bbdd1b47f11659797ce2fcb; path=/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
PHPSESSID=c237171f28868c7585a3177692c86322; path=/
PHPSESSID=c237171f28868c7585a3177692c86322; path=/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
PHPSESSID=07cace2b2db2294d04cf35e975dcb6f6; path=/
PHPSESSID=07cace2b2db2294d04cf35e975dcb6f6; path=/
28
Ensure that the HttpOnly flag is set for all cookies.
www.owasp.org/index.php/HttpOnly
13

Low (Medium)

Cross-Domain JavaScript Source File Inclusion

Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence

Description

URL

The page at the following URL includes one or more script files from a third-party
domain
http://www.icap.org.pk

Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence

http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/icap/contact-us/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/icap/contact-us/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/icap/contact-us/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/exemptions/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
Low (Medium)
Description

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution
Other information

http://www.icap.org.pk/become-ca/exemptions/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/exemptions/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/fee/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/fee/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
39
Ensure JavaScript source files are loaded from only trusted sources, and the
sources can't be controlled by end users of the application
Web Browser XSS Protection Not Enabled

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the
'X-XSS-Protection' HTTP response header on the web server
http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
17
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection
HTTP response header to '1'.
The X-XSS-Protection HTTP response header allows the web server to enable or
disable the web browser's XSS protection mechanism. The following values would
attempt to enable it:
X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:
X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet
Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS
payload (with a text-based content type, with a non-zero length).
Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)
_Prevention_Cheat_Sheet

CWE Id
WASC Id

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
933
14

Low (Medium)

X-Content-Type-Options Header Missing

Description

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution

Other information

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This
allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the
response body, potentially causing the response body to be interpreted and displayed
as a content type other than the declared content type. Current (early 2014) and legacy
versions of Firefox will use the declared content type (if one is set), rather than
performing MIME-sniffing.

http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
17
Ensure that the application/web server sets the Content-Type header appropriately, and
that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web
browser that does not perform MIME-sniffing at all, or that can be directed by the web
application/web server to not perform MIME-sniffing.
This issue still applies to error type pages (401, 403, 500, etc) as those pages are often
still affected by injection issues, in which case there is still concern for browsers sniffing
pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.
Reference
WASC Id
Low (Medium)
Description

URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
CWE Id

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
15
Password Autocomplete in browser

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element
containing password type input. Passwords may be stored in browsers and
retrieved.

http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
input
<input type="password" name="pwd" id="user_pass" class="input" value=""
size="20" />
http://www.icap.org.pk/my-student/
input
<input name="password" type="password" class="textfield-bg2" id="Password"
style="width:30%;" />
2
Turn off AUTOCOMPLETE attribute in form or individual input elements containing
password by using AUTOCOMPLETE='OFF'
http://msdn.microsoft.com/library/default.asp?
url=/workshop/author/forms/autocomplete_ovr.asp
525


Related documents


PDF Document biblio pp
PDF Document 1z0 339 exam questions updated demo 2018
PDF Document build a wordpress blog in1458
PDF Document secure your wordpress website w2ssolutions
PDF Document school management system
PDF Document how to fix the 403 forbidden error in wordpress


Related keywords