Scribd
Upload
31 views

PentestTools WebsiteScanner Report

The website vulnerability scanner report found the website has a medium overall risk level. It detected the server certificate is not trusted, a robots.txt file was found, and the server software and technology was detected. It did not find any vulnerabilities for server-side software, client access policies, or enabled debug methods. The security.txt file was also missing from the website.

Uploaded by

deldengc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views

PentestTools WebsiteScanner Report

The website vulnerability scanner report found the website has a medium overall risk level. It detected the server certificate is not trusted, a robots.txt file was found, and the server software and technology was detected. It did not find any vulnerabilities for server-side software, client access policies, or enabled debug methods. The security.txt file was also missing from the website.

Uploaded by

deldengc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Website Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See what the FULL scanner can do

Perform in-depth website scanning and discover high risk vulnerabilities.

Testing areas Light scan Full scan

Website fingerprinting  

Version-based vulnerability detection  


Common configuration issues  

SQL injection  

Cross-Site Scripting  
Local/Remote File Inclusion  

Remote command execution  

Discovery of sensitive files  

 https://185.75.167.138:443

Summary

Overall risk level: Risk ratings: Scan information:


Medium High: 0 Start time: 2023-03-17 20:38:21 UTC+02

Medium: 1 Finish time: 2023-03-17 20:39:09 UTC+02

Low: 2 Scan duration: 48 sec

Info: 16 Tests performed: 19/19

Scan status: Finished

Findings

 SSL/TLS: Server certificate is not trusted CONFIRMED

URL

https://185.75.167.138:443

 Details

Risk description:
The SSL certificate presented by the web server is not trusted by web browsers. This makes it really difficult for humans to distinguish
between the real certificate presented by the server and a fake SSL certificate. An attacker could easily mount a man-in-the-middle attack in
order to sniff the SSL communication by presenting the user a fake SSL certificate.

Recommendation:
We recommend you to configure a trusted SSL certificate for the web server. Examples of how to configure SSL for various servers for
Apache and Nginx are referenced.

1/4
References:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
http://nginx.org/en/docs/http/configuring_https_servers.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Robots.txt file found CONFIRMED

URL

https://185.75.167.138:443/robots.txt

 Details

Risk description:
There is no particular security risk in having a robots.txt file. However, this file is often misused by website administrators to try to hide some
web pages from the users. This should not be considered a security measure because these URLs can be easily read directly from the
robots.txt file.

Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex.
administration panels, configuration files, etc).

References:
https://www.theregister.co.uk/2015/05/19/robotstxt/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

Software / Version Category

Apache HTTP Server Web servers

PHP Programming languages

Nextcloud Digital asset management, Miscellaneous

 Details

Risk description:
An attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

URL

Missing: https://185.75.167.138:443/.well-known/security.txt

2/4
 Details

Risk description:
We have detected that the server is missing the security.txt file. There is no particular risk in not creating a valid Security.txt file for your
server. However, this file is important because it offers a designated channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration

 Website is accessible.

 Nothing was found for vulnerabilities of server-side software.

 Nothing was found for client access policies.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for secure communication.

 Nothing was found for directory listing.

 Nothing was found for missing HTTP header - Strict-Transport-Security.

 Nothing was found for missing HTTP header - Content Security Policy.

 Nothing was found for missing HTTP header - X-Frame-Options.

 Nothing was found for missing HTTP header - X-XSS-Protection.

 Nothing was found for missing HTTP header - X-Content-Type-Options.

 Nothing was found for missing HTTP header - Referrer.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for HttpOnly flag of cookie.

3/4
 Nothing was found for Secure flag of cookie.

Scan coverage information

List of tests performed (19/19)


 Checking for website accessibility...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for secure communication...
 Checking for directory listing...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for missing HTTP header - Content Security Policy...
 Checking for missing HTTP header - X-Frame-Options...
 Checking for missing HTTP header - X-XSS-Protection...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - Referrer...
 Checking for domain too loose set for cookies...
 Checking for HttpOnly flag of cookie...
 Checking for Secure flag of cookie...

Scan parameters
Website URL: https://185.75.167.138:443
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points Detected: 26
URLs spidered: 14
Total number of HTTP requests: 22
Average time until a response was
72ms
received:

4/4

You might also like