Koota Koperasi

Sites: https://api.koota.id http://api.koota.id https://koperasi.koota.id

http://koperasi.koota.id
Generated on Fri, 9 Jun 2023 21:06:49

ZAP Version: 2.12.0

Summary of Alerts

Risk Level Number of Alerts

High 0
Medium 6
Low 8

Alerts

Number of
Name Risk Level
Instances
Absence of Anti-CSRF Tokens Medium 3
Content Security Policy (CSP) Header Not Set Medium 19
HTTP to HTTPS Insecure Transition in Form Post Medium 1
Hidden File Found Medium 4
Missing Anti-clickjacking Header Medium 7
Vulnerable JS Library Medium 1
Big Redirect Detected (Potential Sensitive
Low 5
Information Leak)
Cookie No HttpOnly Flag Low 7
Cookie Without Secure Flag Low 15
Cookie without SameSite Attribute Low 4
Cross-Domain JavaScript Source File Inclusion Low 3
Server Leaks Version Information via "Server"
Low 74
HTTP Response Header Field
Timestamp Disclosure - Unix Low 21
X-Content-Type-Options Header Missing Low 44

Alert Detail

Medium Absence of Anti-CSRF Tokens

No Anti-CSRF tokens were found in a HTML submission form.

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP
request to a target destination without their knowledge or intent in order to perform an
action as the victim. The underlying cause is application functionality using predictable URL
/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust
that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a
user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they
 can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session
riding, confused deputy, and sea surf.

CSRF attacks are effective in a number of situations, including:

Description
* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.

* The victim is on the same local network as the target site.

CSRF has primarily been used to perform an action against a target site using the victim's
privileges, but recent techniques have been discovered to disclose information by gaining
access to the response. The risk of information disclosure is dramatically increased when
the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF,
allowing the attack to operate within the bounds of the same-origin policy.

URL https://koperasi.koota.id/login
Method GET
Attack
Evidence <form class="login-form" method="post" action="https://koperasi.koota.id/login/submit">
URL https://koperasi.koota.id/login/submit
Method GET
Attack
Evidence <form class="login-form" method="post" action="https://koperasi.koota.id/login/submit">
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence <form class="login-form" method="post" action="https://koperasi.koota.id/login/submit">
Instances 3
Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

Phase: Implementation

Ensure that your application is free of cross-site scripting issues, because most CSRF
defenses can be bypassed using attacker-controlled script.

Phase: Architecture and Design

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce
upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).

Note that this can be bypassed using XSS.

Solution
Identify especially dangerous operations. When the user performs a dangerous operation,
send a separate confirmation request to ensure that the user intended to perform that
operation.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Do not use the GET method for any request that triggers a state change.
 Phase: Implementation

Check the HTTP Referer header to see if the request originated from an expected page.
This could break legitimate functionality, because users or proxies may have disabled
sending the Referer for privacy reasons.
http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
http://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Plugin Id 10202

Medium Content Security Policy (CSP) Header Not Set

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
These attacks are used for everything from data theft to site defacement or distribution of
Description malware. CSP provides a set of standard HTTP headers that allow website owners to
declare approved sources of content that browsers should be allowed to load on that page
— covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable
objects such as Java applets, ActiveX, audio and video files.

URL http://api.koota.id
Method GET
Attack
Evidence
URL http://api.koota.id/sitemap.xml
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/css/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/fonts/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/fonts/material-design-icons/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/images/
Method GET
Attack
 Evidence
URL http://koperasi.koota.id/assets/images/captcha/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/images/theme/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/js/
Method GET
Attack
Evidence
URL http://koperasi.koota.id/assets/vendors/
Method GET
Attack
Evidence
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence
URL https://api.koota.id/login
Method GET
Attack
Evidence
URL https://koperasi.koota.id/%5C%22javascript:reload();%5C%22
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/%5C%22javascript:reload();%5C%22
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence
 URL https://koperasi.koota.id/login/submit
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence
Instances 19
Ensure that your web server, application server, load balancer, etc. is configured to set the
Content-Security-Policy header, to achieve optimal browser support: "Content-Security-
Solution
Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox
4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP
/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

Reference http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038

Medium HTTP to HTTPS Insecure Transition in Form Post

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an
Description insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can
be replaced or spoofed.

URL http://api.koota.id
Method GET
Attack
Evidence https://api.koota.id/login
Instances 1
Solution Use HTTPS for landing pages that host secure forms.
Reference
CWE Id 319
WASC Id 15
Plugin Id 10041

Medium Hidden File Found

A sensitive file was identified as accessible or available. This may leak administrative,
Description configuration, or credential information which can be leveraged by a malicious individual to
further attack the system or conduct social engineering efforts.

URL https://koperasi.koota.id/._darcs
Method GET
Attack
Evidence HTTP/1.1 307 Temporary Redirect
 URL https://koperasi.koota.id/.bzr
Method GET
Attack
Evidence HTTP/1.1 307 Temporary Redirect
URL https://koperasi.koota.id/.hg
Method GET
Attack
Evidence HTTP/1.1 307 Temporary Redirect
URL https://koperasi.koota.id/BitKeeper
Method GET
Attack
Evidence HTTP/1.1 307 Temporary Redirect
Instances 4
Consider whether or not the component is actually required in production, if it isn't then
Solution disable it. If it is then ensure access to it requires appropriate authentication and
authorization, or limit exposure to internal systems or specific source IPs, etc.
https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-
Reference
Web-Servers.html
CWE Id 538
WASC Id 13
Plugin Id 40035

Medium Missing Anti-clickjacking Header

The response does not include either Content-Security-Policy with 'frame-ancestors'
Description
directive or X-Frame-Options to protect against 'ClickJacking' attacks.

URL http://api.koota.id
Method GET
Attack
Evidence
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence
URL https://api.koota.id/login
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/reload
Method GET
 Attack
Evidence
URL https://koperasi.koota.id/login/submit
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence
Instances 7
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP
headers. Ensure one of them is set on all web pages returned by your site/app.

Solution If you expect the page to be framed only by pages on your server (e.g. it's part of a
FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page
to be framed, you should use DENY. Alternatively consider implementing Content Security
Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020

Medium Vulnerable JS Library

Description The identified library jquery, version 3.4.1 is vulnerable.

URL https://koperasi.koota.id/assets/js/vendors.min.js
Method GET
Attack
Evidence /*! jQuery v3.4.1
Instances 1
Solution Please upgrade to the latest version of jquery.
Reference https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
CWE Id 829
WASC Id
Plugin Id 10003

Low Big Redirect Detected (Potential Sensitive Information Leak)

The server has responded with a redirect that seems to provide a large response. This may
Description indicate that although the server sent a redirect it also responded with body content (which
may include sensitive details, PII, etc.).

URL http://api.koota.id
Method GET
Attack
Evidence
URL https://api.koota.id/
Method GET
 Attack
Evidence
URL https://api.koota.id/dashboard
Method GET
Attack
Evidence
URL https://api.koota.id/forgot-password
Method POST
Attack
Evidence
URL https://api.koota.id/login
Method POST
Attack
Evidence
Instances 5
Ensure that no sensitive information is leaked via redirect responses. Redirect responses
Solution
should have almost no content.
Reference
CWE Id 201
WASC Id 13
Plugin Id 10044

Low Cookie No HttpOnly Flag

A cookie has been set without the HttpOnly flag, which means that the cookie can be
accessed by JavaScript. If a malicious script can be run on this page then the cookie will be
Description
accessible and can be transmitted to another site. If this is a session cookie then session
hijacking may be possible.

URL http://api.koota.id
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/dashboard
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/login
 Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/forgot-password
Method POST
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/login
Method POST
Attack
Evidence set-cookie: XSRF-TOKEN
Instances 7
Solution Ensure that the HttpOnly flag is set for all cookies.
Reference https://owasp.org/www-community/HttpOnly
CWE Id 1004
WASC Id 13
Plugin Id 10010

Low Cookie Without Secure Flag

A cookie has been set without the secure flag, which means that the cookie can be
Description
accessed via unencrypted connections.

URL https://api.koota.id/
Method GET
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/dashboard
Method GET
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/dashboard
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/forgot-password
 Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/login
Method GET
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/login
Method GET
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://koperasi.koota.id
Method GET
Attack
Evidence set-cookie: ci_session
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence set-cookie: ci_session
URL https://koperasi.koota.id/robots.txt
Method GET
Attack
Evidence set-cookie: ci_session
URL https://api.koota.id/forgot-password
Method POST
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/forgot-password
Method POST
Attack
Evidence set-cookie: XSRF-TOKEN
URL https://api.koota.id/login
Method POST
Attack
Evidence set-cookie: api_koota_session
URL https://api.koota.id/login
Method POST
Attack
Evidence set-cookie: XSRF-TOKEN
Instances 15
Solution Whenever a cookie contains sensitive information or is a session token, then it should
always be passed using an encrypted channel. Ensure that the secure flag is set for
cookies containing such sensitive information.
https://owasp.org/www-project-web-security-testing-guide/v41/4-
Reference Web_Application_Security_Testing/06-Session_Management_Testing/02-
Testing_for_Cookies_Attributes.html
CWE Id 614
WASC Id 13
Plugin Id 10011

Low Cookie without SameSite Attribute

A cookie has been set without the SameSite attribute, which means that the cookie can be
Description sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter
measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

URL http://koperasi.koota.id/
Method GET
Attack
Evidence set-cookie: ci_session
URL https://koperasi.koota.id
Method GET
Attack
Evidence set-cookie: ci_session
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence set-cookie: ci_session
URL https://koperasi.koota.id/robots.txt
Method GET
Attack
Evidence set-cookie: ci_session
Instances 4
Solution Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
CWE Id 1275
WASC Id 13
Plugin Id 10054

Low Cross-Domain JavaScript Source File Inclusion

Description The page includes one or more script files from a third-party domain.

URL http://api.koota.id
Method GET
Attack
Evidence <script src="https://cdn.jsdelivr.net/gh/alpinejs/[email protected]/dist/alpine.js" defer></script>
URL https://api.koota.id/forgot-password
Method GET
 Attack
Evidence <script src="https://cdn.jsdelivr.net/gh/alpinejs/[email protected]/dist/alpine.js" defer></script>
URL https://api.koota.id/login
Method GET
Attack
Evidence <script src="https://cdn.jsdelivr.net/gh/alpinejs/[email protected]/dist/alpine.js" defer></script>
Instances 3
Ensure JavaScript source files are loaded from only trusted sources, and the sources can't
Solution
be controlled by end users of the application.
Reference
CWE Id 829
WASC Id 15
Plugin Id 10017

Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response
Description header. Access to such information may facilitate attackers identifying other vulnerabilities
your web/application server is subject to.

URL http://api.koota.id
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://api.koota.id/robots.txt
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://api.koota.id/sitemap.xml
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/css/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/fonts/
 Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/fonts/material-design-icons/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/images/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/images/captcha/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/images/theme/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/js/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL http://koperasi.koota.id/assets/vendors/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/css/app.css
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/dashboard
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/favicon.ico
Method GET
 Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/login
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/logo.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/%5C%22javascript:reload();%5C%22
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/android-icon-192x192.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-114x114.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-120x120.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-144x144.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-152x152.png
Method GET
Attack
 Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-180x180.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-57x57.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-60x60.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-72x72.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/apple-icon-76x76.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/css
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/css/materialize.min.css
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/css/style.min.css
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts/material-design-icons
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.eot
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.ttf
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.woff
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.woff2
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/background-login-Koota.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303012.0759.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303015.7908.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303018.2103.jpg
 Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303019.7943.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303022.5779.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303314.7831.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303315.2842.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303315.8053.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/captcha/1686303325.2506.jpg
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/theme
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/images/theme/logo-2.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/js
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/js/plugins.js
Method GET
 Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/js/vendors.min.js
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/vendors
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/assets/vendors/vendors.min.css
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/favicon-16x16.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/favicon-32x32.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/favicon-96x96.png
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/login/%5C%22javascript:reload();%5C%22
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/login/submit
Method GET
Attack
 Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/manifest.json
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/robots.txt
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/sitemap.xml
Method GET
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/forgot-password
Method POST
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://api.koota.id/login
Method POST
Attack
Evidence Apache/2.4.41 (Ubuntu)
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence Apache/2.4.41 (Ubuntu)
Instances 74
Ensure that your web server, application server, load balancer, etc. is configured to
Solution
suppress the "Server" header or provide generic details.
http://httpd.apache.org/docs/current/mod/core.html#servertokens
http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007
Reference http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-
headers.aspx
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10036

Low Timestamp Disclosure - Unix

Description A timestamp was disclosed by the application/web server - Unix

URL https://koperasi.koota.id/apple-icon-114x114.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-120x120.png
 Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-144x144.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-152x152.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-180x180.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-57x57.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-60x60.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-72x72.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/apple-icon-76x76.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/favicon-16x16.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/favicon-32x32.png
Method GET
Attack
Evidence 1587900758
URL https://koperasi.koota.id/favicon-96x96.png
Method GET
 Attack
Evidence 1587900758
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence 1686303012
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence 1686303015
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence 1686303019
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence 1686303314
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence 1686303018
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence 1686303315
URL https://koperasi.koota.id/login/submit
Method GET
Attack
Evidence 1686303315
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence 1686303022
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence 1686303325
Instances 21
Manually confirm that the timestamp data is not sensitive, and that the data cannot be
Solution
aggregated to disclose exploitable patterns.
Reference http://projects.webappsec.org/w/page/13246936/Information%20Leakage
CWE Id 200
WASC Id 13
Plugin Id 10096

Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows
older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response
body, potentially causing the response body to be interpreted and displayed as a content
Description
type other than the declared content type. Current (early 2014) and legacy versions of
Firefox will use the declared content type (if one is set), rather than performing MIME-
sniffing.

URL http://api.koota.id
Method GET
Attack
Evidence
URL http://api.koota.id/robots.txt
Method GET
Attack
Evidence
URL https://api.koota.id/css/app.css
Method GET
Attack
Evidence
URL https://api.koota.id/forgot-password
Method GET
Attack
Evidence
URL https://api.koota.id/login
Method GET
Attack
Evidence
URL https://api.koota.id/logo.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/android-icon-192x192.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-114x114.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-120x120.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-144x144.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-152x152.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-180x180.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-57x57.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-60x60.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-72x72.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/apple-icon-76x76.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/css/materialize.min.css
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/css/style.min.css
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.eot
 Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.ttf
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.woff
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/fonts/material-design-icons/MaterialIcons-Regular.woff2
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/background-login-Koota.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303012.0759.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303015.7908.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303018.2103.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303019.7943.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303022.5779.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303314.7831.jpg
Method GET
 Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303315.2842.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303315.8053.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/captcha/1686303325.2506.jpg
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/images/theme/logo-2.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/js/plugins.js
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/js/vendors.min.js
Method GET
Attack
Evidence
URL https://koperasi.koota.id/assets/vendors/vendors.min.css
Method GET
Attack
Evidence
URL https://koperasi.koota.id/favicon-16x16.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/favicon-32x32.png
Method GET
Attack
Evidence
URL https://koperasi.koota.id/favicon-96x96.png
Method GET
Attack
 Evidence
URL https://koperasi.koota.id/login
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/reload
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/submit
Method GET
Attack
Evidence
URL https://koperasi.koota.id/manifest.json
Method GET
Attack
Evidence
URL https://koperasi.koota.id/login/submit
Method POST
Attack
Evidence
Instances 44
Ensure that the application/web server sets the Content-Type header appropriately, and
that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser
that does not perform MIME-sniffing at all, or that can be directed by the web application
/web server to not perform MIME-sniffing.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021