Affected Items Report Acunetix Security Audit 2021-10-26 Generated by Acunetix 1 Scan of imgapi.cn Scan details Scan information Start time 2021-10-26T12:52:09.684521+08:00 Start url https://imgapi.cn/ Host imgapi.cn Scan time 15 minutes, 23 seconds Profile Full Scan Server information openresty Responsive True Server OS Unknown Threat level Acunetix Threat Level 2 One or more medium-severity type vulnerabilities have been discovered by the scanner. You should investigate each of these vulnerabilities to ensure they will not escalate to more severe problems. Alerts distribution Total alerts found 12 High 0 Medium 3 Low 1 Informational 8 2 Affected items Web Server Alert group Application error messages Severity Medium This alert requires manual confirmation Description Recommendations Acunetix found one or more error/warning messages. Application error or warning messages may expose sensitive information about an application's internal workings to an attacker. These messages may also contain the location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the affected page(s). Verify that these page(s) are disclosing error or warning messages and properly configure the application to log errors to a file instead of displaying the error to the user. Alert variants Application error messages: https://imgapi.cn/qq.php <b>Warning</b>: Header may not contain NUL bytes in <b>/home/wwwroot/imgapi/qq.php</b> on line <b>10</b><br /> Details https://imgapi.cn/bing.php <b>Warning</b>: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name or service not known in <b>/home/wwwroot/imgapi/bing.php</b> on line <b>15</b><br /> GET /qq.php?qq=12345'"\'\");|]*%00{%0d%0a<%00>%bf%27'💡 HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server Alert group TLS 1.0 enabled Severity Medium Description The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be "strong cryptography" as defined and required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information transferred to or from web sites. According to PCI, "30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. 3 Recommendations It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher. Alert variants Details The SSL server (port: 443) encrypts traffic using TLSv1.0. Web Server Alert group Vulnerable JavaScript libraries (verified) Severity Medium Description You are using one or more vulnerable JavaScript libraries. One or more vulnerabilities were reported for this version of the library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities that were reported. Recommendations Upgrade to the latest version. Alert variants jquery 3.4.1 URL: https://imgapi.cn/assets/js/jquery.min.js Detection method: The library's name and version were determined based on the file's syntax fingerprint, and contents. Acunetix verified the library version and the associated vulnerabilities with the file's unique syntax fingerprint, which matched the syntax fingerprint expected by Acunetix. References: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://mksben.l0.cm/2020/05/jquery3.5.0-xss.html https://jquery.com/upgrade-guide/3.5/ https://api.jquery.com/jQuery.htmlPrefilter/ Details GET /assets/js/jquery.min.js HTTP/1.1 Host: imgapi.cn accept-language: en-US accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://imgapi.cn/ Accept-Encoding: gzip,deflate Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Web Server Alert group Clickjacking: X-Frame-Options header missing Severity Low 4 Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. Description Recommendations The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Configure your web server to include an X-Frame-Options header and a CSP header with frame-ancestors directive. Consult Web references for more information about the possible values for this header. Alert variants Paths without XFO header: https://imgapi.cn/ https://imgapi.cn/qq.php Details https://imgapi.cn/index.html https://imgapi.cn/wiki.html GET / HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server Alert group Content Security Policy (CSP) not implemented Severity Informational 5 Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following: Description Content-Security-Policy: default-src 'self'; script-src 'self' https://code.jquery.com; It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application. Recommendations It's recommended to implement Content Security Policy (CSP) into your web application. Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control resources the user agent is allowed to load for that page. Alert variants Paths without CSP header: https://imgapi.cn/ https://imgapi.cn/qq.php Details https://imgapi.cn/index.html https://imgapi.cn/wiki.html GET / HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server 6 Alert group Email addresses Severity Informational Description One or more email addresses have been found on this website. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found. Recommendations Check references for details on how to solve this problem. Alert variants Emails found: https://imgapi.cn/ canxunwangluo@163.com https://imgapi.cn/index.html canxunwangluo@163.com https://imgapi.cn/wiki.html canxunwangluo@163.com Details GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server Alert group HTTP Strict Transport Security (HSTS) Best Practices Severity Informational Description HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable using HTTPS. It was detected that your web application doesn't implement best practices of HTTP Strict Transport Security (HSTS). Recommendations It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information Alert variants URLs where HSTS configuration is not according to best practices: Details https://imgapi.cn/: ; No includeSubDomains directive 7 GET / HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive /index.html Alert group HTTP Strict Transport Security (HSTS) Best Practices Severity Informational Description HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable using HTTPS. It was detected that your web application doesn't implement best practices of HTTP Strict Transport Security (HSTS). Recommendations It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information Alert variants URLs where HSTS configuration is not according to best practices: https://imgapi.cn/index.html: ; No includeSubDomains directive Details GET /index.html HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive /qq.php Alert group HTTP Strict Transport Security (HSTS) Best Practices Severity Informational 8 Description HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable using HTTPS. It was detected that your web application doesn't implement best practices of HTTP Strict Transport Security (HSTS). Recommendations It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information Alert variants URLs where HSTS configuration is not according to best practices: https://imgapi.cn/qq.php: ; No includeSubDomains directive Details GET /qq.php HTTP/1.1 Referer: https://imgapi.cn/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Host: imgapi.cn Connection: Keep-alive /wiki.html Alert group HTTP Strict Transport Security (HSTS) Best Practices Severity Informational Description HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable using HTTPS. It was detected that your web application doesn't implement best practices of HTTP Strict Transport Security (HSTS). Recommendations It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into your web application. Consult web references for more information Alert variants URLs where HSTS configuration is not according to best practices: Details https://imgapi.cn/wiki.html: ; No includeSubDomains directive 9 GET /wiki.html HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server Alert group Insecure Referrer Policy Severity Informational Description Referrer Policy controls behaviour of the Referer header, which indicates the origin or web page URL the request was made from. The web application uses insecure Referrer Policy configuration that may leak user's information to third-party sites. Recommendations Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value Alert variants URLs where Referrer Policy configuration is insecure: https://imgapi.cn/ https://imgapi.cn/qq.php Details https://imgapi.cn/index.html https://imgapi.cn/wiki.html GET / HTTP/1.1 Referer: https://imgapi.cn/ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Host: imgapi.cn Connection: Keep-alive Web Server 10 Alert group TLS 1.1 enabled Severity Informational Description The web server supports encryption through TLS 1.1. When aiming for Payment Card Industry (PCI) Data Security Standard (DSS) compliance, it is recommended (although at the time or writing not required) to use TLS 1.2 or higher instead. According to PCI, "30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. Recommendations It is recommended to disable TLS 1.1 and replace it with TLS 1.2 or higher. Alert variants Details The SSL server (port: 443) encrypts traffic using TLSv1.1. 11 Scanned items (coverage report) https://imgapi.cn/ https://imgapi.cn/api.php https://imgapi.cn/assets/ https://imgapi.cn/assets/css/ https://imgapi.cn/assets/css/fontawesome-all.min.css https://imgapi.cn/assets/css/images/ https://imgapi.cn/assets/css/main.css https://imgapi.cn/assets/css/noscript.css https://imgapi.cn/assets/js/ https://imgapi.cn/assets/js/breakpoints.min.js https://imgapi.cn/assets/js/browser.min.js https://imgapi.cn/assets/js/jquery.min.js https://imgapi.cn/assets/js/jquery.scrollex.min.js https://imgapi.cn/assets/js/jquery.scrolly.min.js https://imgapi.cn/assets/js/main.js https://imgapi.cn/assets/js/util.js https://imgapi.cn/assets/webfonts/ https://imgapi.cn/bing.php https://imgapi.cn/cache/ https://imgapi.cn/cos.php https://imgapi.cn/images/ https://imgapi.cn/index.html https://imgapi.cn/qq.php https://imgapi.cn/wiki.html 12