important security question
-
hello,
i recently did a pentest on my website, witch i found to have a few security problems.
i noticed the content security policy wasn't there, and something about an iframe policy wasn't there as well. i am using wordpress. and pentest-tools to actually do the pentesting. here is pdf. sense i cant send files, i will need to put in the contence of the pdf into this text.
please note, this was reformatted into google doc, expect spelling errors.
===begin text ===.Website Vulnerability Scanner Report(Light)
UUnnlloocckk tthhee ffuullll ccaappaabbiilliittiieess ooff tthhiiss ssccaannnneerr
See what the FULL scanner can do
Perform in-depth website scanning and discover high risk vulnerabilities.
Testing areas Light scan Full scan
Website fingerprinting
Version-based vulnerability detection
Common configuration issues
SQL injection
Cross-Site Scripting
Local/Remote File Inclusion
Remote command execution
Discovery of sensitive files
https://blindsoft.net
SummaryOverall risk level: Low
Risk ratings:
High: 0
Medium: 0
Low: 4
Info: 15
Scan information:
Start time: 2023-06-22 23:31:10 UTC+03 Finish time: 2023-06-22 23:31:39 UTC+03 Scan duration: 29 sec
Tests performed: 19/19Scan status:
Findings
Missing security header: Content-Security-Policy
FinishedCONFIRMED
URL
Evidence
https://blindsoft.net
Response headers do not include the HTTP Content-Security-Policy security header Details
Risk description:
The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.
Recommendation:
Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application.
1 / 5References:
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
Missing security header: X-Frame-Options
CONFIRMEDURL
Evidence
https://blindsoft.net
Response headers do not include the HTTP X-Frame-Options security header Details
Risk description:
Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here:
https://owasp.org/www-community/attacks/Clickjacking
Recommendation:
We recommend you to add the X-Frame-Options HTTP header with the values DENY or SAMEORIGIN to every page that you want to be protected against Clickjacking attacks.
References:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
Classification:
CWE : CWE-693
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration Robots.txt file found
CONFIRMEDURL
https://blindsoft.net/robots.txt Details
Risk description:
There is no particular security risk in having a robots.txt file. However, this file is often misused by website administrators to try to hide some web pages from the users. This should not be considered a security measure because these URLs can be easily read directly from the robots.txt file.
Recommendation:
We recommend you to manually review the entries from robots.txt and remove the ones which lead to sensitive locations in the website (ex. administration panels, configuration files, etc).
References:
https://www.theregister.co.uk/2015/05/19/robotstxt/
Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration Server software and technology found
UNCONFIRMED Software / Version
Category2 / 5
PHP
Programming languages
WordPress 6.2.2
CMS, Blogs
MySQL
Databases
Cloudflare
CDN
RSS
Miscellaneous
HTTP/3
Miscellaneous
Jetpack
WordPress plugins
Site Kit 1.103.0
Analytics, WordPress plugins
Twitter Emoji (Twemoji) 14.0.2
Font scripts
jQuery Migrate 3.4.0
JavaScript libraries
jQuery 3.6.4
JavaScript libraries
Google Analytics GA4
Analytics
Google AdSense
Advertising
core-js 3.11.0
JavaScript libraries
Chatwoot
Live chat
HSTS
Security Details
Risk description:
An attacker could use this information to mount specific attacks against the identified software type and version.
Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
References:
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02- Fingerprint_Web_Server.html
Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration Security.txt file is missing
CONFIRMEDURL
Missing: https://blindsoft.net/.well-known/security.txt Details
Risk description:
We have detected that the server is missing the security.txt file. There is no particular risk in not creating a valid Security.txt file for your server. However, this file is important because it offers a designated channel for reporting vulnerabilities and security issues.
Recommendation:
We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server.
References:
https://securitytxt.org/
3 / 5
Classification:
OWASP Top 10 - 2013 : A5 - Security Misconfiguration
OWASP Top 10 - 2017 : A6 - Security Misconfiguration
Website is accessible.
Nothing was found for vulnerabilities of server-side software. Nothing was found for client access policies.
Nothing was found for use of untrusted certificates.
Nothing was found for enabled HTTP debug methods. Nothing was found for secure communication.
Nothing was found for directory listing.
Nothing was found for missing HTTP header - Strict-Transport-Security. Nothing was found for missing HTTP header - X-XSS-Protection. Nothing was found for missing HTTP header - X-Content-Type-Options. Nothing was found for missing HTTP header - Referrer. Nothing was found for domain too loose set for cookies. Nothing was found for HttpOnly flag of cookie.
Nothing was found for Secure flag of cookie.
Scan coverage information
List of tests performed (19/19)
Checking for website accessibility...
Checking for missing HTTP header - Content Security Policy...
Checking for missing HTTP header - X-Frame-Options...
Checking for website technologies...
Checking for vulnerabilities of server-side software...
4 / 5
Checking for client access policies...
Checking for robots.txt file...
Checking for absence of the security.txt file...
Checking for use of untrusted certificates...
Checking for enabled HTTP debug methods...
Checking for secure communication...
Checking for directory listing...
Checking for missing HTTP header - Strict-Transport-Security... Checking for missing HTTP header - X-XSS-Protection... Checking for missing HTTP header - X-Content-Type-Options... Checking for missing HTTP header - Referrer...
Checking for domain too loose set for cookies...
Checking for HttpOnly flag of cookie...
Checking for Secure flag of cookie...
Scan parameters
Website URL: https://blindsoft.net
Scan type: Light
Authentication: False
Scan stats
Unique Injection Points Detected: 106
URLs spidered: 6
Total number of HTTP requests: 14
Average time until a response was
received:313ms
5 / 5
===end doc=== -
@adison said in important security question:
mmhmm. i was thinking of wordfense, but it wants a sftp witch i don't have the info for
Sounds like your issue is that you're using the WordPress (Managed) Cloudron app.
Use WordPress (Developer) instead and WordFence will install fine .
-
@adison CSP is provided by the application. For WP, you can use one of the plugins in https://wordpress.com/plugins/browse/csp .
@girish said in important security question:
@adison CSP is provided by the application. For WP, you can use one of the plugins in https://wordpress.com/plugins/browse/csp .
I'd guess they are using WordPress (Managed) and many security plugins don't work properly with that.
