SlideShare une entreprise Scribd logo

Application scan

R
rvamana
FormationTechnologie
1  sur  17
Télécharger pour lire hors ligne
Qualys, Inc 1600 Bridge Parkway Redwood Shores, CA 94065 (650) 801 6100 Scan Results Report Data Information Settings Type: WAS Scan Result Sort Criteria Sort by descending Severity Author: Daneian Easy Company: Johnson and Johnson Generation date: 09 Jul 2012 09:07AM GMT-0400 The scan completed successfully in 30 minutes, and 8 seconds. Scan Information Scan Summary Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk Scan Type Vulnerability Authentication Status None Launch Mode Scheduled Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38 Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links Target URL # Links In Queue 0 Links http://www.kompass-therapiebegleiter.de Authentication Record None Vulnerability Assessment Phase Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24 Scanner Applicance External # Requests 10,044
Findings By Type Sensitive Content By Group Vulnerabilities by Group / Level Name Level 1 Level 2 Level 3 Level 4 Level 5 Total XSS 0 0 0 0 0 0 SQL 0 0 0 0 0 0 PATH 0 0 0 0 0 0 INFO 10 0 1 0 0 11
Vulnerabilities by OWASP Top WASC Threats Code # Vulns A-1 0 A-2 0 A-3 0 A-4 0 A-5 0 A-6 1 A-7 0 A-8 0 A-9 0 A-10 0 Results QID: 150085 / Information Disclosure Slow HTTP POST vulnerability URL: https://www.kompass-therapiebegleiter.de/contactus CWE IDs: OWASP References: A6: Security Misconfiguration WASC References: Vulnerable Parameter: Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent connections More information can be found at the in this presentation. Impact: All other services remain intact but the web server itself becomes completely inaccessible. Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Easy to use tool for intrusive testing is available here. Results Authenticated: - Form Entry Point: - Payload : N/A
Result : Vulnerable to slow HTTP POST attack Server resets timeout after accepting request data from peer. QID: 6 / Information Gathered DNS Host Name CWE IDs: OWASP References: WASC References: Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. Impact: Solution: Results IP address Host name 77.246.41.39 No registered hostname QID: 45038 / Information Gathered Host Scan Time CWE IDs: OWASP References: WASC References: Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. Impact: N/A Solution: N/A Results
Scan duration: 1760 seconds Start time: Sun, Jul 01 2012, 05:00:17 GMT End time: Sun, Jul 01 2012, 05:29:37 GMT QID: 82040 / Information Gathered ICMP Replies Received CWE IDs: OWASP References: WASC References: Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. Impact: Solution: Results ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply QID: 150009 / Information Gathered Links Crawled CWE IDs: OWASP References: WASC References:
Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user. Impact: N/A Solution: N/A Results
Duration of crawl phase (seconds): 158.00 Number of links: 51 (This number excludes form requests and links re-requested during authentication.) http://www.kompass-therapiebegleiter.de/ http://www.kompass-therapiebegleiter.de/adherence http://www.kompass-therapiebegleiter.de/basic_info http://www.kompass-therapiebegleiter.de/contactus http://www.kompass-therapiebegleiter.de/datenschutz-glossar http://www.kompass-therapiebegleiter.de/impressum http://www.kompass-therapiebegleiter.de/index.php http://www.kompass-therapiebegleiter.de/legal_notice http://www.kompass-therapiebegleiter.de/misc/favicon.ico http://www.kompass-therapiebegleiter.de/privacy_policy http://www.kompass-therapiebegleiter.de/psychoedukation http://www.kompass-therapiebegleiter.de/shared_decision http://www.kompass-therapiebegleiter.de/sitemap http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js http://www.kompass-therapiebegleiter.de/therapy_planning https://www.kompass-therapiebegleiter.de/ https://www.kompass-therapiebegleiter.de/adherence https://www.kompass-therapiebegleiter.de/basic_info https://www.kompass-therapiebegleiter.de/contactus https://www.kompass-therapiebegleiter.de/contactus/ https://www.kompass-therapiebegleiter.de/contactus/confirm https://www.kompass-therapiebegleiter.de/datenschutz-glossar https://www.kompass-therapiebegleiter.de/impressum https://www.kompass-therapiebegleiter.de/legal_notice https://www.kompass-therapiebegleiter.de/misc/favicon.ico https://www.kompass-therapiebegleiter.de/privacy_policy https://www.kompass-therapiebegleiter.de/psychoedukation https://www.kompass-therapiebegleiter.de/shared_decision https://www.kompass-therapiebegleiter.de/sitemap https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js https://www.kompass-therapiebegleiter.de/therapy_planning QID: 150010 / Information Gathered
External Links Discovered CWE IDs: OWASP References: WASC References: Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. Impact: N/A Solution: N/A Results Number of links: 8 http://www.google-analytics.com/ga.js http://www.adobe.com/de/products/reader/ http://www.janssen-cilag.de/?product=kompass https://ssl.google-analytics.com/ga.js mailto:%5bno%20address%20given%5d mailto:datenschutz.jacde@jacde.jnj.com mailto:jancil@its.jnj.com http://tools.google.com/dlpage/gaoptout?hl=de QID: 150021 / Information Gathered Scan Diagnostics CWE IDs: OWASP References: WASC References: Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Solution: No action is required. Results
Loaded 0 blacklist entries. Loaded 0 whitelist entries. HTML form authentication unavailable, no WEBAPP entry found Collected 57 links overall. Path manipulation: estimated time < 1 minute (101 tests, 75 inputs) Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed. WS enumeration: estimated time < 1 minute (9 tests, 69 inputs) WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs) Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs) Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs) Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs) Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed. Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs) Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute. HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs) HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs) Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs) Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All tests completed. Header manipulation: estimated time < 1 minute (36 tests, 32 inputs) Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests completed. Total requests made: 10044 Average server response time: 0.55 seconds Most recent links: 200 https://www.kompass-therapiebegleiter.de/therapy_planning 200 https://www.kompass-therapiebegleiter.de/impressum 200 https://www.kompass-therapiebegleiter.de/psychoedukation 200 https://www.kompass-therapiebegleiter.de/privacy_policy 200 https://www.kompass-therapiebegleiter.de/basic_info 200 https://www.kompass-therapiebegleiter.de/contactus/confirm 200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar 200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js 200 https://www.kompass-therapiebegleiter.de/contactus/ 200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js QID: 150028 / Information Gathered Cookies Collected CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were received from the web application during the crawl phase. Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
Results Total cookies: 10 InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=1999908; httponly SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de __utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964 __utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764 __utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767964 current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de has_js=1; path=/; domain=www.kompass-therapiebegleiter.de QID: 150054 / Information Gathered Email Addresses Collected CWE IDs: OWASP References: WASC References: Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase. Impact: Email addresses may help a malicious user with brute force and phishing attacks. Solution: Review the email list to see if they are all email addresses you want to expose. Results Number of emails: 2 datenschutz.jacde@jacde.jnj.com jancil@its.jnj.com QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/basic_info CWE IDs: OWASP References: WASC References: Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/therapy_planning CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/sitemap CWE IDs: OWASP References: WASC References:
Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/shared_decision CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/
CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/privacy_policy CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/impressum CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/legal_notice CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/psychoedukation CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/adherence CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: -
Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150099 / Information Gathered Cookies Issued Without User Consent CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs. Impact: Cookies may be set without user explicitly agreeing to accept them. Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization. Results Total cookies: 6 SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999; httponly __utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999 __utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799 __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767999 has_js=1; path=/; domain=www.kompass-therapiebegleiter.de Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM Crawling Form Submission: POST & GET Maximum Link to Crawl: 500 Performance: LOW Sensitive Content Credit Card Numbers: No Social Security Numbers: No Custom: no Custom Checks:
Detection Option: COMPLETE Password Bruteforcing Option: MINIMAL Number of Attempts: - CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.

Recommandé

Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
 
How to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessHow to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessArianna Huffington
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABSQualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABSRisk Analysis Consultants, s.r.o.
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 

Recommandé

Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
 
How to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessHow to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessArianna Huffington
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
QualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABSQualysGuard InfoDay 2012 - SSL LABS
QualysGuard InfoDay 2012 - SSL LABSRisk Analysis Consultants, s.r.o.
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplaceThomas Richards
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptxEoin Keary
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?PVS-Studio
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKSPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKTsuyoshi Horigome
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKSPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKTsuyoshi Horigome
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
AWS WAF adds support for Captcha
AWS WAF adds support for CaptchaAWS WAF adds support for Captcha
AWS WAF adds support for CaptchaDhaval Soni
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 

Contenu connexe

Similaire à Application scan

Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplaceThomas Richards
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptxEoin Keary
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficAbraham Aranguren
 
How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?PVS-Studio
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKSPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKTsuyoshi Horigome
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKSPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKTsuyoshi Horigome
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingAPNIC
 
AWS WAF adds support for Captcha
AWS WAF adds support for CaptchaAWS WAF adds support for Captcha
AWS WAF adds support for CaptchaDhaval Soni
 

Similaire à Application scan (20)

Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplace
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack trafficBruCon 2011 Lightning talk winner: Web app testing without attack traffic
BruCon 2011 Lightning talk winner: Web app testing without attack traffic
 
How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?How Can PVS-Studio Help in the Detection of Vulnerabilities?
How Can PVS-Studio Help in the Detection of Vulnerabilities?
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKSPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARK
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKSPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
 
MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
AWS WAF adds support for Captcha
AWS WAF adds support for CaptchaAWS WAF adds support for Captcha
AWS WAF adds support for Captcha
 

Dernier

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 

Dernier (20)

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 

Application scan

  • 1. Qualys, Inc 1600 Bridge Parkway Redwood Shores, CA 94065 (650) 801 6100 Scan Results Report Data Information Settings Type: WAS Scan Result Sort Criteria Sort by descending Severity Author: Daneian Easy Company: Johnson and Johnson Generation date: 09 Jul 2012 09:07AM GMT-0400 The scan completed successfully in 30 minutes, and 8 seconds. Scan Information Scan Summary Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk Scan Type Vulnerability Authentication Status None Launch Mode Scheduled Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38 Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links Target URL # Links In Queue 0 Links http://www.kompass-therapiebegleiter.de Authentication Record None Vulnerability Assessment Phase Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24 Scanner Applicance External # Requests 10,044
  • 2. Findings By Type Sensitive Content By Group Vulnerabilities by Group / Level Name Level 1 Level 2 Level 3 Level 4 Level 5 Total XSS 0 0 0 0 0 0 SQL 0 0 0 0 0 0 PATH 0 0 0 0 0 0 INFO 10 0 1 0 0 11
  • 3. Vulnerabilities by OWASP Top WASC Threats Code # Vulns A-1 0 A-2 0 A-3 0 A-4 0 A-5 0 A-6 1 A-7 0 A-8 0 A-9 0 A-10 0 Results QID: 150085 / Information Disclosure Slow HTTP POST vulnerability URL: https://www.kompass-therapiebegleiter.de/contactus CWE IDs: OWASP References: A6: Security Misconfiguration WASC References: Vulnerable Parameter: Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent connections More information can be found at the in this presentation. Impact: All other services remain intact but the web server itself becomes completely inaccessible. Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Easy to use tool for intrusive testing is available here. Results Authenticated: - Form Entry Point: - Payload : N/A
  • 4. Result : Vulnerable to slow HTTP POST attack Server resets timeout after accepting request data from peer. QID: 6 / Information Gathered DNS Host Name CWE IDs: OWASP References: WASC References: Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. Impact: Solution: Results IP address Host name 77.246.41.39 No registered hostname QID: 45038 / Information Gathered Host Scan Time CWE IDs: OWASP References: WASC References: Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. Impact: N/A Solution: N/A Results
  • 5. Scan duration: 1760 seconds Start time: Sun, Jul 01 2012, 05:00:17 GMT End time: Sun, Jul 01 2012, 05:29:37 GMT QID: 82040 / Information Gathered ICMP Replies Received CWE IDs: OWASP References: WASC References: Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. Impact: Solution: Results ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply QID: 150009 / Information Gathered Links Crawled CWE IDs: OWASP References: WASC References:
  • 6. Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user. Impact: N/A Solution: N/A Results
  • 7. Duration of crawl phase (seconds): 158.00 Number of links: 51 (This number excludes form requests and links re-requested during authentication.) http://www.kompass-therapiebegleiter.de/ http://www.kompass-therapiebegleiter.de/adherence http://www.kompass-therapiebegleiter.de/basic_info http://www.kompass-therapiebegleiter.de/contactus http://www.kompass-therapiebegleiter.de/datenschutz-glossar http://www.kompass-therapiebegleiter.de/impressum http://www.kompass-therapiebegleiter.de/index.php http://www.kompass-therapiebegleiter.de/legal_notice http://www.kompass-therapiebegleiter.de/misc/favicon.ico http://www.kompass-therapiebegleiter.de/privacy_policy http://www.kompass-therapiebegleiter.de/psychoedukation http://www.kompass-therapiebegleiter.de/shared_decision http://www.kompass-therapiebegleiter.de/sitemap http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js http://www.kompass-therapiebegleiter.de/therapy_planning https://www.kompass-therapiebegleiter.de/ https://www.kompass-therapiebegleiter.de/adherence https://www.kompass-therapiebegleiter.de/basic_info https://www.kompass-therapiebegleiter.de/contactus https://www.kompass-therapiebegleiter.de/contactus/ https://www.kompass-therapiebegleiter.de/contactus/confirm https://www.kompass-therapiebegleiter.de/datenschutz-glossar https://www.kompass-therapiebegleiter.de/impressum https://www.kompass-therapiebegleiter.de/legal_notice https://www.kompass-therapiebegleiter.de/misc/favicon.ico https://www.kompass-therapiebegleiter.de/privacy_policy https://www.kompass-therapiebegleiter.de/psychoedukation https://www.kompass-therapiebegleiter.de/shared_decision https://www.kompass-therapiebegleiter.de/sitemap https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js https://www.kompass-therapiebegleiter.de/therapy_planning QID: 150010 / Information Gathered
  • 8. External Links Discovered CWE IDs: OWASP References: WASC References: Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. Impact: N/A Solution: N/A Results Number of links: 8 http://www.google-analytics.com/ga.js http://www.adobe.com/de/products/reader/ http://www.janssen-cilag.de/?product=kompass https://ssl.google-analytics.com/ga.js mailto:%5bno%20address%20given%5d mailto:datenschutz.jacde@jacde.jnj.com mailto:jancil@its.jnj.com http://tools.google.com/dlpage/gaoptout?hl=de QID: 150021 / Information Gathered Scan Diagnostics CWE IDs: OWASP References: WASC References: Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Solution: No action is required. Results
  • 9. Loaded 0 blacklist entries. Loaded 0 whitelist entries. HTML form authentication unavailable, no WEBAPP entry found Collected 57 links overall. Path manipulation: estimated time < 1 minute (101 tests, 75 inputs) Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed. WS enumeration: estimated time < 1 minute (9 tests, 69 inputs) WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs) Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs) Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs) Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs) Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed. Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs) Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute. HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs) HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs) Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs) Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All tests completed. Header manipulation: estimated time < 1 minute (36 tests, 32 inputs) Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests completed. Total requests made: 10044 Average server response time: 0.55 seconds Most recent links: 200 https://www.kompass-therapiebegleiter.de/therapy_planning 200 https://www.kompass-therapiebegleiter.de/impressum 200 https://www.kompass-therapiebegleiter.de/psychoedukation 200 https://www.kompass-therapiebegleiter.de/privacy_policy 200 https://www.kompass-therapiebegleiter.de/basic_info 200 https://www.kompass-therapiebegleiter.de/contactus/confirm 200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar 200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js 200 https://www.kompass-therapiebegleiter.de/contactus/ 200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js QID: 150028 / Information Gathered Cookies Collected CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were received from the web application during the crawl phase. Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
  • 10. Results Total cookies: 10 InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=1999908; httponly SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de __utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964 __utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764 __utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767964 current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de has_js=1; path=/; domain=www.kompass-therapiebegleiter.de QID: 150054 / Information Gathered Email Addresses Collected CWE IDs: OWASP References: WASC References: Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase. Impact: Email addresses may help a malicious user with brute force and phishing attacks. Solution: Review the email list to see if they are all email addresses you want to expose. Results Number of emails: 2 datenschutz.jacde@jacde.jnj.com jancil@its.jnj.com QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/basic_info CWE IDs: OWASP References: WASC References: Vulnerable Parameter:
  • 11. Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/therapy_planning CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/sitemap CWE IDs: OWASP References: WASC References:
  • 12. Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/shared_decision CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/
  • 13. CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/privacy_policy CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure
  • 14. Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/impressum CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/legal_notice CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
  • 15. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/psychoedukation CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/adherence CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: -
  • 16. Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150099 / Information Gathered Cookies Issued Without User Consent CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs. Impact: Cookies may be set without user explicitly agreeing to accept them. Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization. Results Total cookies: 6 SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999; httponly __utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999 __utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799 __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767999 has_js=1; path=/; domain=www.kompass-therapiebegleiter.de Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM Crawling Form Submission: POST & GET Maximum Link to Crawl: 500 Performance: LOW Sensitive Content Credit Card Numbers: No Social Security Numbers: No Custom: no Custom Checks:
  • 17. Detection Option: COMPLETE Password Bruteforcing Option: MINIMAL Number of Attempts: - CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.