Scribd
Upload
6 views

PentestTools WebsiteScanner Report

Guide to pentest

Uploaded by

delonjacquesjuniorlouis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

PentestTools WebsiteScanner Report

Guide to pentest

Uploaded by

delonjacquesjuniorlouis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Website Vulnerability Scanner Report

 https://krezypay.com/
Target added due to a redirect from https://www.krezypay.com

The Light Website Scanner didn't check for critical issues like SQLi, XSS, Command Injection, XXE, etc. Upgrade to run Deep scans with
40+ tests and detect more vulnerabilities.

Summary

Overall risk level: Risk ratings: Scan information:


High High: 1 Start time: Jul 02, 2024 / 16:00:24
Medium: 0 Finish time: Jul 02, 2024 / 16:01:09
Low: 6 Scan duration: 45 sec

Info: 12 Tests performed: 19/19

Scan status: Finished

Findings

 Vulnerabilities found for server-side software UNCONFIRMED 

Risk Affected
CVSS CVE Summary
Level software

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using
Apache and PHP-CGI on Windows, if the system is set up to use certain code pages,
Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 php
 9.8 CVE-2024-4577
API functions. PHP CGI module may misinterpret those characters as PHP options, which may 8.1.27
allow a malicious user to pass options to PHP binary being run, and thus reveal the source
code of scripts, run arbitrary PHP code on the server, etc.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-
2024-1874 does not work if the command name includes trailing spaces. Original
php
 8.8 CVE-2024-5585 issue: when using proc_open() command with array syntax, due to insufficient escaping, if
8.1.27
the arguments of the executed command are controlled by a malicious user, the user can
supply arguments that would execute arbitrary commands in Windows shell.

The openssl_private_decrypt function in PHP, when using PKCS1 padding


(OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless
it is used with an OpenSSL version that includes the changes from this pull request:
https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes
are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux
php
 5.9 CVE-2024-2408 distributions, as well as to the PHP builds provided for Windows since the previous release.
8.1.27
All distributors and builders should ensure that this version is used to prevent PHP from
being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL
patches that fix the vulnerability.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code
logic error, filtering functions such as filter_var when validating
URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user php
 5.3 CVE-2024-5458
information (username + password part of URLs) being treated as valid user information. This 8.1.27
may lead to the downstream code accepting invalid URLs as valid and parsing them
incorrectly.

 Details

Risk description:
The risk is that an attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

1/6
Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

Classification:
CWE : CWE-1026
OWASP Top 10 - 2013 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2017 : A9 - Using Components with Known Vulnerabilities
OWASP Top 10 - 2021 : A6 - Vulnerable and Outdated Components

 Unsafe security header: Content-Security-Policy CONFIRMED

URL Evidence

Response headers include the HTTP Content-Security-Policy security header with the following security issues:
default-src: The default-src directive should be set as a fall-back when other restrictions have not
been specified.
script-src: script-src directive is missing.
object-src: Missing object-src allows the injection of plugins which can execute JavaScript. We
https://krezypay.com/
recommend setting it to 'none'.
base-uri: Missing base-uri allows the injection of base tags. They can be used to set the base URL for
all relative (script) URLs to an attacker controlled domain. We recommend setting it to 'none' or
'self'.
Request / Response

 Details

Risk description:
For example, if the unsafe-inline directive is present in the CSP header, the execution of inline scripts and event handlers is allowed. This
can be exploited by an attacker to execute arbitrary JavaScript code in the context of the vulnerable application.

Recommendation:
Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly
define the sources from which scripts, styles, images or other resources can be loaded.

References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: X-Content-Type-Options CONFIRMED

URL Evidence

Response headers do not include the X-Content-Type-Options HTTP security header


https://krezypay.com/
Request / Response

 Details

Risk description:
The risk is that lack of this header could make possible attacks such as Cross-Site Scripting or phishing in Internet Explorer browsers.

Recommendation:
We recommend setting the X-Content-Type-Options header such as X-Content-Type-Options: nosniff .

References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

2/6
 Missing security header: Referrer-Policy CONFIRMED

URL Evidence

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name
https://krezypay.com/ 'referrer' is not present in the response.
Request / Response

 Details

Risk description:
The risk is that if a user visits a web page (e.g. "http://example.com/pricing/") and clicks on a link from that page going to e.g.
"https://www.google.com", the browser will send to Google the full originating URL in the Referer header, assuming the Referrer-Policy
header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

Recommendation:
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value
no-referrer of this header instructs the browser to omit the Referer header entirely.

References:
https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Missing security header: Strict-Transport-Security CONFIRMED

URL Evidence

Response headers do not include the HTTP Strict-Transport-Security header


https://krezypay.com/
Request / Response

 Details

Risk description:
The risk is that lack of this header permits an attacker to force a victim user to initiate a clear-text HTTP connection to the server, thus
opening the possibility to eavesdrop on the network traffic and extract sensitive information (e.g. session cookies).

Recommendation:
The Strict-Transport-Security HTTP header should be sent with each HTTPS response. The syntax is as follows:

Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]

The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months.
A value below 7776000 is considered as too low by this scanner check.
The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Robots.txt file found CONFIRMED

URL

https://krezypay.com/robots.txt

 Details

Risk description:
There is no particular security risk in having a robots.txt file. However, it's important to note that adding endpoints in it should not be
considered a security measure, as this file can be directly accessed and read by anyone.

Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website

3/6
(ex. administration panels, configuration files, etc).

References:
https://www.theregister.co.uk/2015/05/19/robotstxt/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Server software and technology found UNCONFIRMED 

Software / Version Category

LiteSpeed Web servers

MySQL Databases

PHP 8.1.27 Programming languages

HTTP/3 Miscellaneous

WordPress 6.5.5 CMS, Blogs

Hostinger Hosting

 Details

Risk description:
The risk is that an attacker could use this information to mount specific attacks against the identified software type and version.

Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-
Fingerprint_Web_Server.html

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Security.txt file is missing CONFIRMED

URL

Missing: https://krezypay.com/.well-known/security.txt

 Details

Risk description:
There is no particular risk in not having a security.txt file for your server. However, this file is important because it offers a designated
channel for reporting vulnerabilities and security issues.

Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security
issues they find, improving the defensive mechanisms of your server.

References:
https://securitytxt.org/

Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

4/6
 HTTP OPTIONS enabled CONFIRMED

URL Method Summary

We did a HTTP OPTIONS request.


https://krezypay.com/ OPTIONS
The server responded with a 200 status code and the header: Allow: OPTIONS,HEAD,GET,POST
Request / Response

 Details

Risk description:
The only risk this might present nowadays is revealing debug HTTP methods that can be used on the server. This can present a danger if
any of those methods can lead to sensitive information, like authentication information, secret keys.

Recommendation:
We recommend that you check for unused HTTP methods or even better, disable the OPTIONS method. This can be done using your
webserver configuration.

References:
https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-p/1504845
https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/allowed-http-methods/

Classification:
CWE : CWE-16
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
OWASP Top 10 - 2021 : A5 - Security Misconfiguration

 Website is accessible.

 Nothing was found for client access policies.

 Nothing was found for use of untrusted certificates.

 Nothing was found for enabled HTTP debug methods.

 Nothing was found for secure communication.

 Nothing was found for directory listing.

 Nothing was found for missing HTTP header - Content Security Policy.

 Nothing was found for domain too loose set for cookies.

 Nothing was found for HttpOnly flag of cookie.

 Nothing was found for Secure flag of cookie.

Scan coverage information

5/6
List of tests performed (19/19)
 Starting the scan...
 Checking for unsafe HTTP header Content Security Policy...
 Checking for missing HTTP header - X-Content-Type-Options...
 Checking for missing HTTP header - Referrer...
 Checking for missing HTTP header - Strict-Transport-Security...
 Checking for website technologies...
 Checking for vulnerabilities of server-side software...
 Checking for client access policies...
 Checking for robots.txt file...
 Checking for absence of the security.txt file...
 Checking for use of untrusted certificates...
 Checking for enabled HTTP debug methods...
 Checking for enabled HTTP OPTIONS method...
 Checking for secure communication...
 Checking for directory listing...
 Checking for missing HTTP header - Content Security Policy...
 Checking for domain too loose set for cookies...
 Checking for HttpOnly flag of cookie...
 Checking for Secure flag of cookie...

Scan parameters
Target: https://krezypay.com/
Scan type: Light
Authentication: False

Scan stats
Unique Injection Points Detected: 42
URLs spidered: 3
Total number of HTTP requests: 12
Average time until a response was
560ms
received:

6/6

You might also like