Website Security Test - ImmuniWeb

7/18/23, 12:25 AM www.rivatravel.
com Website Security Test | ImmuniWeb
Summary of www.rivatravel.com [Desktop version] Website Security Test

rivatravel.com was tested 2 times during the last 12 months.
Your final score

Tested on: Jul 17th, 2023 23:34:16 GMT+5:30 A
C
Server IP: 103.73.188.242
B
Reverse DNS: smtp6-18.latestnewsmails.com
Location: Gugal Pimpari C
Client: Desktop version

F
Software Compliance Compliance Content Headers

Security Test Test Test Security Policy Test Security Test
2 ISSUES FOUND 1 ISSUE FOUND 3 ISSUES FOUND MISSING NO ISSUES FOUND
The website has at least one folder with enabled directory listing, putting its content at risk. Misconfiguration or weakness
https://www.immuniweb.com/websec/www.rivatravel.com/ynZgV3mb/ 1/17
7/18/23, 12:25 AM www.rivatravel.com Website Security Test | ImmuniWeb
Upgrade from Free Community Edition to ImmuniWeb® AI Platform Now!
API Penetration Mobile Penetration

Testing Testing
API Security Mobile Security

Scanning Scanning
Attack Surface Network Security

Management Assessment
Cloud Penetration PCI DSS Penetration

Testing Testing
Cloud Security Posture Phishing Websites

Management Takedown
Continuous Penetration Red Teaming

Testing Exercise
Cyber Threat Software Composition

Intelligence Analysis
Dark Web Third-Party Risk

Monitoring Management
Digital Brand Web Penetration

Protection Testing
GDPR Penetration Web Security

Testing Scanning
Free Demo Book a Call
Web Server Security Test
HTTP RESPONSE HTTP VERSIONS NPN ALPN
200 OK HTTP/1.0 HTTP/1.1 HTTP/2 N/A HTTP/1.1
CONTENT ENCODING SERVER SIGNATURE WAF LOCATION
None Apache No WAF detected RackBank Datacenters Private Ltd
HTTP METHODS ENABLED
✔ GET ✔ POST ✔ HEAD ✔ OPTIONS ✔ DELETE ✔ PUT ✔ TRACK ✔ CUSTOM
DIRECTORY LISTING ENABLED
The website has at least one folder with enabled directory listing: https://www.rivatravel.com/extras/system/library/javascript/ .
Web Software Security Test
Web Software Found Web Software Outdated Web Software Vulnerabilities
7 6 15
Fingerprinted CMS & Vulnerabilities
No CMS were fingerprinted on the website. Information
Fingerprinted CMS Components & Vulnerabilities
jQuery 2.1.1
The fingerprinted component version is outdated and vulnerable to publicly known vulnerabilities. Urgently update to the most recent version 3.7.0.
CVSSv3.1 Score Vulnerability CVE-ID CVE Vulnerability Type
5.5 Medium CVE-2020-11022 CWE-79 - Cross-site scripting
4.8 Medium CVE-2019-11358 CWE-400 - Prototype pollution
jQuery UI 1.11.4
The fingerprinted component version is outdated and vulnerable to publicly known vulnerabilities. Urgently update to the most recent version 1.13.2.
CVSSv3.1 Score Vulnerability CVE-ID CVE Vulnerability Type
SHOW 5 MORE
GDPR Compliance Test
If the website processes or stores personal data of the EU residents, the following requirements of EU GDPR may apply:
PRIVACY POLICY
Privacy Policy was found on the website. Good configuration
WEBSITE SECURITY
Website CMS or its components are outdated and contain publicly known security vulnerabilities. Misconfiguration or weakness
TLS ENCRYPTION
HTTPS encryption is present on the web server. Good configuration
COOKIE PROTECTION
Cookies with personal or tracking information are sent with Secure flag. Good configuration
COOKIE DISCLAIMER
Third-party cookies or cookies with tracking information are sent, cookie disclaimer was found on the website. Good configuration
PCI DSS Compliance Test
If the website falls into a CDE (Cardholder Data Environment) scope, the following Requirements of PCI DSS may apply:
REQUIREMENT 6.2
Website CMS or its components seem to be outdated. Check for available updates. Misconfiguration or weakness
REQUIREMENT 6.5
Fingerprinted website CMS or its components contain publicly known vulnerabilities (Ref. PCI DSS 6.5.1-6.5.10). Misconfiguration or weakness
REQUIREMENT 6.6
No WAF was detected on the website. Implement a WAF to protect the website against common web attacks. Misconfiguration or weakness
HTTP Headers Security
Some HTTP headers related to security and privacy are missing or misconfigured. Misconfiguration or weakness
MISSING OPTIONAL HTTP HEADERS
Access-Control-Allow-Origin Permissions-Policy
SERVER
Web server does not disclose its version. Good configuration
Server
Server: Apache
STRICT-TRANSPORT-SECURITY
The header is properly set. Good configuration
Strict-Transport-Security
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Directives
Name Description Alerts
max-age Sets the time browsers must enforce the use of HTTPS to browse the website. No problems found
X-FRAME-OPTIONS
X-Frame-Options
X-Frame-Options: sameorigin
X-CONTENT-TYPE-OPTIONS
X-Content-Type-Options
X-Content-Type-Options: nosniff
REFERRER-POLICY
Referrer-Policy
Referrer-Policy: no-referrer
Content Security Policy Test
CONTENT-SECURITY-POLICY
The header was not sent by the server. Misconfiguration or weakness
CONTENT-SECURITY-POLICY-REPORT-ONLY
The header was not sent by the server. Information
Cookies Privacy and Security Analysis
Some cookies have missing secure flags or attributes. Misconfiguration or weakness
COOKIE: TRAVELS
The cookie has Secure and HttpOnly attributes set. Good configuration
The cookie is missing SameSite flag. Make sure it does not store sensitive information. Misconfiguration or weakness
Raw HTTP Header

Set-Cookie:
travels=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22ca42d6f295e544a4b198114890f659b7%22%3Bs%3A10%3A%22ip_address%22%3Bs%
3A13%3A%2264.15.129.102%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A104%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F537.3
6+%28KHTML%2C+like+Gecko%29+Chrome%2F67.0.3396.99+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1689616734%3Bs%3A9%3A%22
user_data%22%3Bs%3A0%3A%22%22%3B%7D4ced32ef2d9cf5799826caa7175c569b; expires=Mon, 17-Jul-2023 19:58:54 GMT; Max-Age=7200;
path=/; HttpOnly ; Secure
Directives
Name Value Description
Mon, 17-Jul-2023 19:58:54

expires Sets the maximum lifetime of the cookie using a date.
GMT
max-age 7200 Sets the maximum lifetime of the cookie using a time in seconds.
path / Sets the path of the application where the cookie should be sent.
Prevents client-side scripts to access the cookie by telling browsers to only transmit the
httponly ✅
cookie over HTTP(S).
secure ✅ Prevents browsers to send this cookie over an insecure connection.
COOKIE: TRAVELS
Raw HTTP Header

Set-Cookie:
user_data%22%3Bs%3A0%3A%22%22%3Bs%3A14%3A%22domain_auth_id%22%3Bi%3A1%3Bs%3A10%3A%22domain_key%22%3Bs%3A28%3A%22VE1YNzkzNDg
0MTY1Mjk1OTcwNQ%3D%3D%22%3B%7D796cb81b84af48e2a83f9daab9c7b3d3; expires=Mon, 17-Jul-2023 19:58:54 GMT; Max-Age=7200;
path=/; HttpOnly ; Secure
Directives
Mon, 17-Jul-2023 19:58:54

GMT
httponly ✅
cookie over HTTP(S).
COOKIE: TRAVELS
Raw HTTP Header

Set-Cookie:
user_data%22%3Bs%3A0%3A%22%22%3Bs%3A14%3A%22domain_auth_id%22%3Bi%3A1%3Bs%3A10%3A%22domain_key%22%3Bs%3A28%3A%22VE1YNzkzNDg
0MTY1Mjk1OTcwNQ%3D%3D%22%3Bs%3A15%3A%22domain_currency%22%3Bs%3A3%3A%22USD%22%3B%7D07ca8caeb58782d085c0a3a9ed62bcd7;
expires=Mon, 17-Jul-2023 19:58:54 GMT; Max-Age=7200; path=/; HttpOnly ; Secure
Directives
Mon, 17-Jul-2023 19:58:54

GMT
httponly ✅ cookie over HTTP(S).
External Content Privacy and Security Analysis
EXTERNAL CONTENT ON HOMEPAGE
External web content (e.g. images, video, CSS or JavaScript) can improve website loading time. However, the external content can also put privacy of website visitors
at risk given that some information about them is transmitted to the third parties operating the external resources, sometimes even without proper HTTPS encryption
or user consent.
External HTTP Requests Failed HTTP Requests
12 1
www.facebook.com
https://www.facebook.com/x/oauth/status?client_id=683582740114272&input_token&origin=1&redirect_uri=http
s%3A%2F%2Fwww.rivatravel.com%2F&sdk=joey&wants_cookie_data=true
fonts.googleapis.com
https://fonts.googleapis.com/css?family=Righteous
https://fonts.googleapis.com/css?family=Roboto
https://fonts.googleapis.com/css?family=Lato|Source+Sans+Pro
cdnjs.cloudflare.com
https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.1/css/select2.min.css
SHOW 7 MORE

Website Security Test - ImmuniWeb

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Website Security Test - ImmuniWeb

Uploaded by

Copyright:

Available Formats

7/18/23, 12:25 AM www.rivatravel.

com Website Security Test | ImmuniWeb

Summary of www.rivatravel.com [Desktop version] Website Security Test

Your final score

Client: Desktop version

Software Compliance Compliance Content Headers

2 ISSUES FOUND 1 ISSUE FOUND 3 ISSUES FOUND MISSING NO ISSUES FOUND

Upgrade from Free Community Edition to ImmuniWeb® AI Platform Now!

API Penetration Mobile Penetration

API Security Mobile Security

Attack Surface Network Security

Cloud Penetration PCI DSS Penetration

Cloud Security Posture Phishing Websites

Continuous Penetration Red Teaming

Cyber Threat Software Composition

Dark Web Third-Party Risk

Digital Brand Web Penetration

GDPR Penetration Web Security

Free Demo Book a Call

Web Server Security Test

HTTP RESPONSE HTTP VERSIONS NPN ALPN

200 OK HTTP/1.0 HTTP/1.1 HTTP/2 N/A HTTP/1.1

CONTENT ENCODING SERVER SIGNATURE WAF LOCATION

None Apache No WAF detected RackBank Datacenters Private Ltd

HTTP METHODS ENABLED

✔ GET ✔ POST ✔ HEAD ✔ OPTIONS ✔ DELETE ✔ PUT ✔ TRACK ✔ CUSTOM

DIRECTORY LISTING ENABLED

Web Software Security Test

Web Software Found Web Software Outdated Web Software Vulnerabilities

No CMS were fingerprinted on the website. Information

Fingerprinted CMS Components & Vulnerabilities

CVSSv3.1 Score Vulnerability CVE-ID CVE Vulnerability Type

5.5 Medium CVE-2020-11022 CWE-79 - Cross-site scripting

4.8 Medium CVE-2019-11358 CWE-400 - Prototype pollution

4.1 Medium CVE-2020-11023 CWE-79 - Cross-site scripting

CVSSv3.1 Score Vulnerability CVE-ID CVE Vulnerability Type

5.5 Medium CVE-2021-41184 CWE-79 - Cross-site scripting

5.3 Medium CVE-2021-41182 CWE-79 - Cross-site scripting

5.3 Medium CVE-2021-41183 CWE-79 - Cross-site scripting

5.3 Medium CVE-2016-7103 CWE-79 - Cross-site scripting

4.1 Medium CVE-2022-31160 CWE-79 - Cross-site scripting

GDPR Compliance Test

Privacy Policy was found on the website. Good configuration

HTTPS encryption is present on the web server. Good configuration

PCI DSS Compliance Test

HTTP Headers Security

MISSING OPTIONAL HTTP HEADERS

Web server does not disclose its version. Good configuration

The header is properly set. Good configuration

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Name Description Alerts

The header is properly set. Good configuration

The header is properly set. Good configuration

The header is properly set. Good configuration

Content Security Policy Test

The header was not sent by the server. Misconfiguration or weakness

The header was not sent by the server. Information

Cookies Privacy and Security Analysis

Some cookies have missing secure flags or attributes. Misconfiguration or weakness

Raw HTTP Header

user_data%22%3Bs%3A0%3A%22%22%3B%7D4ced32ef2d9cf5799826caa7175c569b; expires=Mon, 17-Jul-2023 19:58:54 GMT; Max-Age=7200;

path=/; HttpOnly ; Secure

Name Value Description