x
3.229.142.91

Łączna wartość wierzytelności

Długi firm:11,252,683 PLN
Długi osób:41,700,420 PLN

  • 106,403 Łączna liczba zagrożeń
  • 20,883 Zagrożenia na poziomie niskim
  • 61,763 Zagrożenia na poziomie średnim
  • 94 Zagrożenia na poziomie wysokim

  • hostpowiat-bialogard.pl
  • classIN
  • ttl3600
  • typeA
  • ip62.129.204.248
  • typeSOA
  • mnamedns.home.pl
  • rnameadmin.home.pl
  • serial1570188945
  • refresh14400
  • retry7200
  • expire2419200
  • minimum-ttl3600
  • X-Frame-Options Header Not Set

    Medium (Medium)

    X-Frame-Options header is not included in the HTTP response to protect against ClickJacking attacks.

    Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it s set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it s part of a FRAMESET) then you ll want to use SAMEO

    http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

  • Sub Resource Integrity Attribute Missing

    Medium (High)

    The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

    Provide a valid integrity attribute to the tag.

    https://developer.mozilla.org/en/docs/Web/Security/Subresource_Integrity

  • Reverse Tabnabbing

    Medium (Medium)

    At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the noopener and noreferrer keywords in the rel attribute. which allows the target page to take control of this page.

    Do not use a target attribute. or if you have to then also add the attribute: rel= noopener noreferrer .

    https://owasp.org/www-community/attacks/Reverse_Tabnabbing

    https://dev.to/ben/the-targetblank-vulnerability-by-example

    https://mathiasbynens.github.io/rel-noopener/

    https://medium.com/@jitbit/target-blank-the-most-underestimated-

  • Content Security Policy (CSP) Header Not Set

    Medium (High)

    Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site

    Ensure that your web server. application server. load balancer. etc. is configured to set the Content-Security-Policy header. to achieve optimal browser support: Content-Security-Policy for Chrome 25+. Firefox 23+ and Safari 7+. X-Content-Secur

    https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

    https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

    http://www.w3.org/TR/CSP/

    http://w3c.github.io/

  • Cross-Domain JavaScript Source File Inclusion

    Low (Medium)

    The page includes one or more script files from a third-party domain.

    Ensure JavaScript source files are loaded from only trusted sources. and the sources can t be controlled by end users of the application.

  • Incomplete or No Cache-control and Pragma HTTP Header Set

    Low (Medium)

    The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

    Whenever possible ensure the cache-control HTTP header is set with no-cache. no-store. must-revalidate; and that the pragma HTTP header is set with no-cache.

    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

  • Web Browser XSS Protection Not Enabled

    Low (Medium)

    Web Browser XSS Protection is not enabled. or is disabled by the configuration of the X-XSS-Protection HTTP response header on the web server

    Ensure that the web browser s XSS filter is enabled. by setting the X-XSS-Protection HTTP response header to 1 .

    https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/

  • Absence of Anti-CSRF Tokens

    Low (Medium)

    No Anti-CSRF tokens were found in a HTML submission form.

    A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an actio

    Phase: Architecture and Design

    Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

    For example. use anti-CSRF packages such as the OWASP CSRFGuard

    http://projects.webappsec.org/Cross-Site-Request-Forgery

    http://cwe.mitre.org/data/definitions/352.html

  • X-Content-Type-Options Header Missing

    Low (Medium)

    The Anti-MIME-Sniffing header X-Content-Type-Options was not set to nosniff . This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body. potentially causing the response body to be interpreted and di

    Ensure that the application/web server sets the Content-Type header appropriately. and that it sets the X-Content-Type-Options header to nosniff for all web pages.

    If possible. ensure that the end user uses a standards-compliant and modern

    http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

    https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  • Secure Pages Include Mixed Content

    Low (Medium)

    The page includes mixed content. that is content accessed via HTTP instead of HTTPS.

    A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.

    The page must not contain any content that is transmitted over unencrypted HTTP.

    This includes content from third party s

    https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

  • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

    Low (Medium)

    The web/application server is leaking information via one or more X-Powered-By HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulner

    Ensure that your web server. application server. load balancer. etc. is configured to suppress X-Powered-By headers.

    http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

    http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

  • Server Leaks Version Information via "Server" HTTP Response Header Field

    Low (High)

    The web/application server is leaking version information via the Server HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

    Ensure that your web server. application server. load balancer. etc. is configured to suppress the Server header or provide generic details.

    http://httpd.apache.org/docs/current/mod/core.html#servertokens

    http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007

    http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

    htt

  • Feature Policy Header Not Set

    Low (Medium)

    Feature Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers c

    Ensure that your web server. application server. load balancer. etc. is configured to set the Feature-Policy header.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    https://developers.google.com/web/updates/2018/06/feature-policy

    https://scotthelme.co.uk/a-new-security-header-feature-policy/

    https://w3c.github.io/webapp

  • Insufficient Site Isolation Against Spectre Vulnerability

    Low (Medium)

    Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don t explicitly grant the document permission (using CORP or CORS).

    Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately. and that it sets the Cross-Origin-Embedder-Policy header to require-corp for documents.

    If possible. ensure that the end user uses a standar

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

  • Cookie No HttpOnly Flag

    Low (Medium)

    A cookie has been set without the HttpOnly flag. which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a sessi

    Ensure that the HttpOnly flag is set for all cookies.

    http://www.owasp.org/index.php/HttpOnly

  • Strict-Transport-Security Header Not Set

    Low (High)

    HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

    Ensure that your web server. application server. load balancer. etc. is configured to enforce Strict-Transport-Security.

    https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

    https://owasp.org/www-community/Security_Headers

    http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

    http://caniuse.com/strict

  • Cookie Without Secure Flag

    Low (Medium)

    A cookie has been set without the secure flag. which means that the cookie can be accessed via unencrypted connections.

    Whenever a cookie contains sensitive information or is a session token. then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

    http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

  • Cookie Without SameSite Attribute

    Low (Medium)

    A cookie has been set without the SameSite attribute. which means that the cookie can be sent as a result of a cross-site request. The SameSite attribute is an effective counter measure to cross-site request forgery. cross-site script inclusion.

    Ensure that the SameSite attribute is set to either lax or ideally strict for all cookies.

    https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site

  • Timestamp Disclosure - Unix

    Informational (Low)

    A timestamp was disclosed by the application/web server - Unix

    Manually confirm that the timestamp data is not sensitive. and that the data cannot be aggregated to disclose exploitable patterns.

    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

    http://projects.webappsec.org/w/page/13246936/Information%20Leakage

  • Storable and Cacheable Content

    Informational (Medium)

    The response contents are storable by caching components such as proxy servers. and may be retrieved directly from the cache. rather than from the origin server by the caching servers. in response to similar requests from other users. If the resp

    Validate that the response does not contain sensitive. personal or user-specific information. If it does. consider the use of the following HTTP response headers. to limit. or prevent the content being stored and retrieved from the cache by anoth

    https://tools.ietf.org/html/rfc7234

    https://tools.ietf.org/html/rfc7231

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)

  • Modern Web Application

    Informational (Medium)

    The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

    This is an informational alert and so no changes are required.

  • Base64 Disclosure

    Informational (Medium)

    Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually. the entire response should be looked at by the analyst/security team/develope

    Manually confirm that the Base64 data does not leak sensitive information. and that the data cannot be aggregated/used to exploit other vulnerabilities.

    http://projects.webappsec.org/w/page/13246936/Information%20Leakage

  • Non-Storable Content

    Informational (Medium)

    The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive. personal or user-specific information. it may benefit from being stored and cached. to improve performance.

    The content may be marked as storable by ensuring that the following conditions are satisfied:

    The request method must be understood by the cache and defined as being cacheable ( GET . HEAD . and POST are currently defined as cacheable)

    https://tools.ietf.org/html/rfc7234

    https://tools.ietf.org/html/rfc7231

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)

  •