The byproduct of sericulture in different industries.pptx
Application scan
1. Qualys, Inc
1600 Bridge Parkway
Redwood Shores, CA 94065
(650) 801 6100
Scan Results Report
Data Information Settings
Type: WAS Scan Result Sort Criteria Sort by descending Severity
Author: Daneian Easy
Company: Johnson and Johnson
Generation date: 09 Jul 2012 09:07AM GMT-0400
The scan completed successfully in 30 minutes, and 8 seconds.
Scan Information Scan Summary
Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk
Scan Type Vulnerability Authentication Status None
Launch Mode Scheduled
Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase
End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38
Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links
Target URL # Links In Queue 0 Links
http://www.kompass-therapiebegleiter.de
Authentication Record None Vulnerability Assessment Phase
Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24
Scanner Applicance External # Requests 10,044
2. Findings By Type Sensitive Content By Group
Vulnerabilities by Group / Level
Name Level 1 Level 2 Level 3 Level 4 Level 5 Total
XSS 0 0 0 0 0 0
SQL 0 0 0 0 0 0
PATH 0 0 0 0 0 0
INFO 10 0 1 0 0 11
3. Vulnerabilities by OWASP Top WASC Threats
Code # Vulns
A-1 0
A-2 0
A-3 0
A-4 0
A-5 0
A-6 1
A-7 0
A-8 0
A-9 0
A-10 0
Results
QID: 150085 / Information Disclosure
Slow HTTP POST vulnerability
URL: https://www.kompass-therapiebegleiter.de/contactus
CWE IDs:
OWASP References: A6: Security Misconfiguration
WASC References:
Vulnerable Parameter:
Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open
by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP
POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent
connections More information can be found at the in this presentation.
Impact: All other services remain intact but the web server itself becomes completely inaccessible.
Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request
timeout for connection with POST request Easy to use tool for intrusive testing is available here.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
4. Result : Vulnerable to slow HTTP POST attack
Server resets timeout after accepting request data from peer.
QID: 6 / Information Gathered
DNS Host Name
CWE IDs:
OWASP References:
WASC References:
Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact:
Solution:
Results
IP address Host name
77.246.41.39 No registered hostname
QID: 45038 / Information Gathered
Host Scan Time
CWE IDs:
OWASP References:
WASC References:
Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a
scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer
the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
Impact: N/A
Solution: N/A
Results
5. Scan duration: 1760 seconds
Start time: Sun, Jul 01 2012, 05:00:17 GMT
End time: Sun, Jul 01 2012, 05:29:37 GMT
QID: 82040 / Information Gathered
ICMP Replies Received
CWE IDs:
OWASP References:
WASC References:
Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and
accessibility of other gateways or hosts.
We have sent the following types of packets to trigger the host to send us ICMP replies:
Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply)
Address Mask Request (to trigger Address Mask Reply)
UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)
Listed in the "Result" section are the ICMP replies that we have received.
Impact:
Solution:
Results
ICMP Reply Type Triggered By Additional Information
Echo (type=0 code=0) Echo Request Echo Reply
QID: 150009 / Information Gathered
Links Crawled
CWE IDs:
OWASP References:
WASC References:
6. Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl
includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user.
Impact: N/A
Solution: N/A
Results
7. Duration of crawl phase (seconds): 158.00
Number of links: 51
(This number excludes form requests and links re-requested during authentication.)
http://www.kompass-therapiebegleiter.de/
http://www.kompass-therapiebegleiter.de/adherence
http://www.kompass-therapiebegleiter.de/basic_info
http://www.kompass-therapiebegleiter.de/contactus
http://www.kompass-therapiebegleiter.de/datenschutz-glossar
http://www.kompass-therapiebegleiter.de/impressum
http://www.kompass-therapiebegleiter.de/index.php
http://www.kompass-therapiebegleiter.de/legal_notice
http://www.kompass-therapiebegleiter.de/misc/favicon.ico
http://www.kompass-therapiebegleiter.de/privacy_policy
http://www.kompass-therapiebegleiter.de/psychoedukation
http://www.kompass-therapiebegleiter.de/shared_decision
http://www.kompass-therapiebegleiter.de/sitemap
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf
http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
http://www.kompass-therapiebegleiter.de/therapy_planning
https://www.kompass-therapiebegleiter.de/
https://www.kompass-therapiebegleiter.de/adherence
https://www.kompass-therapiebegleiter.de/basic_info
https://www.kompass-therapiebegleiter.de/contactus
https://www.kompass-therapiebegleiter.de/contactus/
https://www.kompass-therapiebegleiter.de/contactus/confirm
https://www.kompass-therapiebegleiter.de/datenschutz-glossar
https://www.kompass-therapiebegleiter.de/impressum
https://www.kompass-therapiebegleiter.de/legal_notice
https://www.kompass-therapiebegleiter.de/misc/favicon.ico
https://www.kompass-therapiebegleiter.de/privacy_policy
https://www.kompass-therapiebegleiter.de/psychoedukation
https://www.kompass-therapiebegleiter.de/shared_decision
https://www.kompass-therapiebegleiter.de/sitemap
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf
https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
https://www.kompass-therapiebegleiter.de/therapy_planning
QID: 150010 / Information Gathered
8. External Links Discovered
CWE IDs:
OWASP References:
WASC References:
Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.
Impact: N/A
Solution: N/A
Results
Number of links: 8
http://www.google-analytics.com/ga.js
http://www.adobe.com/de/products/reader/
http://www.janssen-cilag.de/?product=kompass
https://ssl.google-analytics.com/ga.js
mailto:%5bno%20address%20given%5d
mailto:datenschutz.jacde@jacde.jnj.com
mailto:jancil@its.jnj.com
http://tools.google.com/dlpage/gaoptout?hl=de
QID: 150021 / Information Gathered
Scan Diagnostics
CWE IDs:
OWASP References:
WASC References:
Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.
Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.
Solution: No action is required.
Results
9. Loaded 0 blacklist entries.
Loaded 0 whitelist entries.
HTML form authentication unavailable, no WEBAPP entry found
Collected 57 links overall.
Path manipulation: estimated time < 1 minute (101 tests, 75 inputs)
Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed.
WS enumeration: estimated time < 1 minute (9 tests, 69 inputs)
WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed.
Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs)
Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs)
Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed.
Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs)
Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs)
Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed.
Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs)
Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute.
HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs)
HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs)
Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs)
Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All
tests completed.
Header manipulation: estimated time < 1 minute (36 tests, 32 inputs)
Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests
completed.
Total requests made: 10044
Average server response time: 0.55 seconds
Most recent links:
200 https://www.kompass-therapiebegleiter.de/therapy_planning
200 https://www.kompass-therapiebegleiter.de/impressum
200 https://www.kompass-therapiebegleiter.de/psychoedukation
200 https://www.kompass-therapiebegleiter.de/privacy_policy
200 https://www.kompass-therapiebegleiter.de/basic_info
200 https://www.kompass-therapiebegleiter.de/contactus/confirm
200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar
200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
200 https://www.kompass-therapiebegleiter.de/contactus/
200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
QID: 150028 / Information Gathered
Cookies Collected
CWE IDs:
OWASP References:
WASC References:
Description: The cookies listed in the Results section were received from the web application during the crawl phase.
Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.
Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
10. Results
Total cookies: 10
InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de
SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=1999908; httponly
SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de
__utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964
__utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764
__utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de
__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de
__utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=15767964
current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de
has_js=1; path=/; domain=www.kompass-therapiebegleiter.de
QID: 150054 / Information Gathered
Email Addresses Collected
CWE IDs:
OWASP References:
WASC References:
Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.
Impact: Email addresses may help a malicious user with brute force and phishing attacks.
Solution: Review the email list to see if they are all email addresses you want to expose.
Results
Number of emails: 2
datenschutz.jacde@jacde.jnj.com
jancil@its.jnj.com
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/basic_info
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
11. Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/therapy_planning
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/sitemap
CWE IDs:
OWASP References:
WASC References:
12. Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/shared_decision
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/
13. CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/privacy_policy
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
14. Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/impressum
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/legal_notice
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
15. QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/psychoedukation
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/adherence
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
16. Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150099 / Information Gathered
Cookies Issued Without User Consent
CWE IDs:
OWASP References:
WASC References:
Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs.
Impact: Cookies may be set without user explicitly agreeing to accept them.
Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have
been classified as exempt by your organization.
Results
Total cookies: 6
SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999;
httponly
__utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999
__utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799
__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de
__utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=15767999
has_js=1; path=/; domain=www.kompass-therapiebegleiter.de
Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM
Crawling
Form Submission: POST & GET
Maximum Link to Crawl: 500
Performance: LOW
Sensitive Content
Credit Card Numbers: No
Social Security Numbers: No
Custom: no
Custom Checks:
17. Detection
Option: COMPLETE
Password Bruteforcing
Option: MINIMAL
Number of Attempts: -
CONFIDENTIAL AND PROPRIETARY INFORMATION.
Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.