DdosReport (PDF)

ZAP Scanning Report
Summary of Alerts
Risk Level

High
Medium
Low
Informational

Number of Alerts
0
1
5
0

Alert Detail
Medium (Medium)

X-Frame-Options Header Not Set

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution

http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
16
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set
on all web pages returned by your site (if you expect the page to be framed only by
pages on your server (e.g. it's part of a FRAMESET) then you'll want to use
SAMEORIGIN, otherwise if you never expect the page to be framed, you should use
DENY. ALLOW-FROM allows specific websites to frame the web page in supported
web browsers).
At "High" threshold this scanner will not alert on client or server error responses.

Description

Other information
Reference
Low (Medium)
Description

X-Frame-Options header is not included in the HTTP response to protect against
'ClickJacking' attacks.

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-xframe-options.aspx
Cookie set without HttpOnly flag

A cookie has been set without the HttpOnly flag, which means that the cookie can
be accessed by JavaScript. If a malicious script can be run on this page then the
cookie will be accessible and can be transmitted to another site. If this is a session
cookie then session hijacking may be possible.

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL

http://www.icap.org.pk
PHPSESSID=367f2cfd505e07221281c50a9f5c4b26; path=/
PHPSESSID=367f2cfd505e07221281c50a9f5c4b26; path=/
http://www.icap.org.pk/robots.txt
PHPSESSID=0921ee8b140f8ca634eac6e65bfb9ae2; path=/
PHPSESSID=0921ee8b140f8ca634eac6e65bfb9ae2; path=/
http://www.icap.org.pk/wp-admin/
PHPSESSID=3ce2123d40e3170af9a4150a4bdc1202; path=/
PHPSESSID=3ce2123d40e3170af9a4150a4bdc1202; path=/
http://www.icap.org.pk/wp-admin/admin-ajax.php
PHPSESSID=7b1c07d7772299df2ac5456292fe3a4f; path=/
PHPSESSID=7b1c07d7772299df2ac5456292fe3a4f; path=/
http://www.icap.org.pk
PHPSESSID=8dc193824a1c1f89d5f317a1d831ae0a; path=/
PHPSESSID=8dc193824a1c1f89d5f317a1d831ae0a; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
PHPSESSID=1c6527b98c6cb6b09c98dbcc5c329b95; path=/
PHPSESSID=1c6527b98c6cb6b09c98dbcc5c329b95; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-content/plugins
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-content/plugins
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_logged_in_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun,
21-Jun-2015 07:09:41 GMT; path=/
wordpress_logged_in_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun,
21-Jun-2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpressuser_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpressuser_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
WASC Id

http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpresspass_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
wordpresspass_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_test_cookie=WP+Cookie+check; path=/
wordpress_test_cookie=WP+Cookie+check; path=/
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-admin
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-admin
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-admin
wordpress_sec_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun2015 07:09:41 GMT; path=/wp-admin
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-content/plugins
wordpress_84d38c101445bdfc1b6e6c1822dba432=+; expires=Sun, 21-Jun-2015
07:09:41 GMT; path=/wp-content/plugins
http://www.icap.org.pk/icap/contact-us/
PHPSESSID=da910d2e9167f204741ff9aabc0c713a; path=/
PHPSESSID=da910d2e9167f204741ff9aabc0c713a; path=/
http://www.icap.org.pk/become-ca/
PHPSESSID=3a6ac2073bbdd1b47f11659797ce2fcb; path=/
PHPSESSID=3a6ac2073bbdd1b47f11659797ce2fcb; path=/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
PHPSESSID=c237171f28868c7585a3177692c86322; path=/
PHPSESSID=c237171f28868c7585a3177692c86322; path=/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
PHPSESSID=07cace2b2db2294d04cf35e975dcb6f6; path=/
PHPSESSID=07cace2b2db2294d04cf35e975dcb6f6; path=/
28
Ensure that the HttpOnly flag is set for all cookies.
www.owasp.org/index.php/HttpOnly
13

Low (Medium)

Cross-Domain JavaScript Source File Inclusion

Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence

Description

URL

The page at the following URL includes one or more script files from a third-party
domain
http://www.icap.org.pk

Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence

http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/icap/contact-us/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/icap/contact-us/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/icap/contact-us/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
http://www.icap.org.pk/become-ca/exemptions/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js

URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
Low (Medium)
Description

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution
Other information

http://www.icap.org.pk/become-ca/exemptions/
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js
http://www.icap.org.pk/become-ca/exemptions/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/fee/
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
http://www.icap.org.pk/become-ca/fee/
http://code.jquery.com/jquery-1.11.0.min.js
http://code.jquery.com/jquery-1.11.0.min.js
39
Ensure JavaScript source files are loaded from only trusted sources, and the
sources can't be controlled by end users of the application
Web Browser XSS Protection Not Enabled

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the
'X-XSS-Protection' HTTP response header on the web server
http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
17
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection
HTTP response header to '1'.
The X-XSS-Protection HTTP response header allows the web server to enable or
disable the web browser's XSS protection mechanism. The following values would
attempt to enable it:
X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:
X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet
Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS
payload (with a text-based content type, with a non-zero length).
Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)
_Prevention_Cheat_Sheet

CWE Id
WASC Id

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/
933
14

Low (Medium)

X-Content-Type-Options Header Missing

Description

URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
URL
Instances
Solution

Other information

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This
allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the
response body, potentially causing the response body to be interpreted and displayed
as a content type other than the declared content type. Current (early 2014) and legacy
versions of Firefox will use the declared content type (if one is set), rather than
performing MIME-sniffing.

http://www.icap.org.pk
http://www.icap.org.pk/robots.txt
http://www.icap.org.pk/wp-admin/
http://www.icap.org.pk/wp-admin/admin-ajax.php
http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
http://www.icap.org.pk/icap/contact-us/
http://www.icap.org.pk/become-ca/
http://www.icap.org.pk/become-ca/why-chartered-accountancy/
http://www.icap.org.pk/become-ca/entry-routes/full-time-scheme/
http://www.icap.org.pk/become-ca/exemptions/
http://www.icap.org.pk/become-ca/fee/
http://www.icap.org.pk/students/
http://www.icap.org.pk/my-student/
http://www.icap.org.pk/students/study-resources/
http://www.icap.org.pk/students/study-resources/syllabus/
http://www.icap.org.pk/students/study-resources/examination-techniques/
http://www.icap.org.pk/students/study-resources/libraries-of-icap/
17
Ensure that the application/web server sets the Content-Type header appropriately, and
that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web
browser that does not perform MIME-sniffing at all, or that can be directed by the web
application/web server to not perform MIME-sniffing.
This issue still applies to error type pages (401, 403, 500, etc) as those pages are often
still affected by injection issues, in which case there is still concern for browsers sniffing
pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.
Reference
WASC Id
Low (Medium)
Description

URL
Parameter
Evidence
URL
Parameter
Evidence
Instances
Solution
Reference
CWE Id

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
15
Password Autocomplete in browser

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element
containing password type input. Passwords may be stored in browsers and
retrieved.

http://www.icap.org.pk/wp-login.php?
reauth=1&redirect_to=http%3A%2F%2Fwww.icap.org.pk%2Fwp-admin%2F
input
<input type="password" name="pwd" id="user_pass" class="input" value=""
size="20" />
http://www.icap.org.pk/my-student/
input
<input name="password" type="password" class="textfield-bg2" id="Password"
style="width:30%;" />
2
Turn off AUTOCOMPLETE attribute in form or individual input elements containing
password by using AUTOCOMPLETE='OFF'
http://msdn.microsoft.com/library/default.asp?
url=/workshop/author/forms/autocomplete_ovr.asp
525