Add to collection(s) Add to saved
  1. No category
Uploaded by gzeltv

feisibuok

advertisement 
Affected Items
Report
Acunetix Security Audit
2021-10-26
Generated by Acunetix
1
Scan of imgapi.cn
Scan details
Scan information
Start time
2021-10-26T12:52:09.684521+08:00
Start url
https://imgapi.cn/
Host
imgapi.cn
Scan time
15 minutes, 23 seconds
Profile
Full Scan
Server information
openresty
Responsive
True
Server OS
Unknown
Threat level
Acunetix Threat Level 2
One or more medium-severity type vulnerabilities have been discovered by the scanner. You should investigate each of
these vulnerabilities to ensure they will not escalate to more severe problems.
Alerts distribution
Total alerts found
12
High
0
Medium
3
Low
1
Informational
8
2
Affected items
Web Server
Alert group
Application error messages
Severity
Medium
This alert requires manual confirmation
Description
Recommendations
Acunetix found one or more error/warning messages. Application error or warning messages
may expose sensitive information about an application's internal workings to an attacker.
These messages may also contain the location of the file that produced an unhandled
exception.
Consult the 'Attack details' section for more information about the affected page(s).
Verify that these page(s) are disclosing error or warning messages and properly configure
the application to log errors to a file instead of displaying the error to the user.
Alert variants
Application error messages:
https://imgapi.cn/qq.php
<b>Warning</b>: Header may not contain NUL bytes in
<b>/home/wwwroot/imgapi/qq.php</b> on line <b>10</b><br />
Details
https://imgapi.cn/bing.php
<b>Warning</b>: file_get_contents(): php_network_getaddresses: getaddrinfo
failed: Name or service not known in <b>/home/wwwroot/imgapi/bing.php</b> on
line <b>15</b><br />
GET /qq.php?qq=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'💡 HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
Alert group
TLS 1.0 enabled
Severity
Medium
Description
The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be
"strong cryptography" as defined and required by the PCI Data Security Standard 3.2(.1)
when used to protect sensitive information transferred to or from web sites. According to
PCI, "30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more
secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to
meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
3
Recommendations
It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher.
Alert variants
Details
The SSL server (port: 443) encrypts traffic using TLSv1.0.
Web Server
Alert group
Vulnerable JavaScript libraries (verified)
Severity
Medium
Description
You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were
reported for this version of the library. Consult Attack details and Web References for more
information about the affected library and the vulnerabilities that were reported.
Recommendations
Upgrade to the latest version.
Alert variants
jquery 3.4.1
URL: https://imgapi.cn/assets/js/jquery.min.js
Detection method: The library's name and version were determined based on the
file's syntax fingerprint, and contents. Acunetix verified the library version and the
associated vulnerabilities with the file's unique syntax fingerprint, which matched
the syntax fingerprint expected by Acunetix.
References:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://mksben.l0.cm/2020/05/jquery3.5.0-xss.html
https://jquery.com/upgrade-guide/3.5/
https://api.jquery.com/jQuery.htmlPrefilter/
Details
GET /assets/js/jquery.min.js HTTP/1.1
Host: imgapi.cn
accept-language: en-US
accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: https://imgapi.cn/
Accept-Encoding: gzip,deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Web Server
Alert group
Clickjacking: X-Frame-Options header missing
Severity
Low
4
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious
technique of tricking a Web user into clicking on something different from what the user
perceives they are clicking on, thus potentially revealing confidential information or taking
control of their computer while clicking on seemingly innocuous web pages.
Description
Recommendations
The server didn't return an X-Frame-Options header which means that this website could
be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used
to indicate whether or not a browser should be allowed to render a page inside a frame or
iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Configure your web server to include an X-Frame-Options header and a CSP header with
frame-ancestors directive. Consult Web references for more information about the possible
values for this header.
Alert variants
Paths without XFO header:
https://imgapi.cn/
https://imgapi.cn/qq.php
Details
https://imgapi.cn/index.html
https://imgapi.cn/wiki.html
GET / HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
Alert group
Content Security Policy (CSP) not implemented
Severity
Informational
5
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy
header. The value of this header is a string containing the policy directives describing your
Content Security Policy. To implement CSP, you should define lists of allowed origins for the
all of the types of resources that your site utilizes. For example, if you have a simple site that
needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery
library from their CDN, the CSP header could look like the following:
Description
Content-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com;
It was detected that your web application doesn't implement Content Security Policy (CSP)
as the CSP header is missing from the response. It's recommended to implement Content
Security Policy (CSP) into your web application.
Recommendations
It's recommended to implement Content Security Policy (CSP) into your web application.
Configuring Content Security Policy involves adding the Content-Security-Policy HTTP
header to a web page and giving it values to control resources the user agent is allowed to
load for that page.
Alert variants
Paths without CSP header:
https://imgapi.cn/
https://imgapi.cn/qq.php
Details
https://imgapi.cn/index.html
https://imgapi.cn/wiki.html
GET / HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
6
Alert group
Email addresses
Severity
Informational
Description
One or more email addresses have been found on this website. The majority of spam comes
from email addresses harvested off the internet. The spam-bots (also known as email
harvesters and email extractors) are programs that scour the internet looking for email
addresses on any website they come across. Spambot programs look for strings like
myname@mydomain.com and then record any addresses found.
Recommendations
Check references for details on how to solve this problem.
Alert variants
Emails found:
https://imgapi.cn/
canxunwangluo@163.com
https://imgapi.cn/index.html
canxunwangluo@163.com
https://imgapi.cn/wiki.html
canxunwangluo@163.com
Details
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
Alert group
HTTP Strict Transport Security (HSTS) Best Practices
Severity
Informational
Description
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable
using HTTPS. It was detected that your web application doesn't implement best practices of
HTTP Strict Transport Security (HSTS).
Recommendations
It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into
your web application. Consult web references for more information
Alert variants
URLs where HSTS configuration is not according to best practices:
Details
https://imgapi.cn/: ; No includeSubDomains directive
7
GET / HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
/index.html
Alert group
HTTP Strict Transport Security (HSTS) Best Practices
Severity
Informational
Description
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable
using HTTPS. It was detected that your web application doesn't implement best practices of
HTTP Strict Transport Security (HSTS).
Recommendations
It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into
your web application. Consult web references for more information
Alert variants
URLs where HSTS configuration is not according to best practices:
https://imgapi.cn/index.html: ; No includeSubDomains directive
Details
GET /index.html HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
/qq.php
Alert group
HTTP Strict Transport Security (HSTS) Best Practices
Severity
Informational
8
Description
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable
using HTTPS. It was detected that your web application doesn't implement best practices of
HTTP Strict Transport Security (HSTS).
Recommendations
It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into
your web application. Consult web references for more information
Alert variants
URLs where HSTS configuration is not according to best practices:
https://imgapi.cn/qq.php: ; No includeSubDomains directive
Details
GET /qq.php HTTP/1.1
Referer: https://imgapi.cn/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Host: imgapi.cn
Connection: Keep-alive
/wiki.html
Alert group
HTTP Strict Transport Security (HSTS) Best Practices
Severity
Informational
Description
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable
using HTTPS. It was detected that your web application doesn't implement best practices of
HTTP Strict Transport Security (HSTS).
Recommendations
It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into
your web application. Consult web references for more information
Alert variants
URLs where HSTS configuration is not according to best practices:
Details
https://imgapi.cn/wiki.html: ; No includeSubDomains directive
9
GET /wiki.html HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
Alert group
Insecure Referrer Policy
Severity
Informational
Description
Referrer Policy controls behaviour of the Referer header, which indicates the origin or web
page URL the request was made from. The web application uses insecure Referrer Policy
configuration that may leak user's information to third-party sites.
Recommendations
Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value
Alert variants
URLs where Referrer Policy configuration is insecure:
https://imgapi.cn/
https://imgapi.cn/qq.php
Details
https://imgapi.cn/index.html
https://imgapi.cn/wiki.html
GET / HTTP/1.1
Referer: https://imgapi.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: imgapi.cn
Connection: Keep-alive
Web Server
10
Alert group
TLS 1.1 enabled
Severity
Informational
Description
The web server supports encryption through TLS 1.1. When aiming for Payment Card
Industry (PCI) Data Security Standard (DSS) compliance, it is recommended (although at
the time or writing not required) to use TLS 1.2 or higher instead. According to PCI, "30 June
2018 is the deadline for disabling SSL/early TLS and implementing a more secure
encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet
the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
Recommendations
It is recommended to disable TLS 1.1 and replace it with TLS 1.2 or higher.
Alert variants
Details
The SSL server (port: 443) encrypts traffic using TLSv1.1.
11
Scanned items (coverage report)
https://imgapi.cn/
https://imgapi.cn/api.php
https://imgapi.cn/assets/
https://imgapi.cn/assets/css/
https://imgapi.cn/assets/css/fontawesome-all.min.css
https://imgapi.cn/assets/css/images/
https://imgapi.cn/assets/css/main.css
https://imgapi.cn/assets/css/noscript.css
https://imgapi.cn/assets/js/
https://imgapi.cn/assets/js/breakpoints.min.js
https://imgapi.cn/assets/js/browser.min.js
https://imgapi.cn/assets/js/jquery.min.js
https://imgapi.cn/assets/js/jquery.scrollex.min.js
https://imgapi.cn/assets/js/jquery.scrolly.min.js
https://imgapi.cn/assets/js/main.js
https://imgapi.cn/assets/js/util.js
https://imgapi.cn/assets/webfonts/
https://imgapi.cn/bing.php
https://imgapi.cn/cache/
https://imgapi.cn/cos.php
https://imgapi.cn/images/
https://imgapi.cn/index.html
https://imgapi.cn/qq.php
https://imgapi.cn/wiki.html
12
Download
advertisement