(Divi Report) Tokenlab

[Divi Report] Tokenlab
Contains the vulnerability analysis of OWASP and related potential security issues for Tokenlab
Sites: https://learning.tokenlab.dev https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com

https://d335luupugsy2.cloudfront.net https://www.tokenlab.com.br
Generated on Tue, 14 Nov 2023 14:14:09
Divi Report: Report based on a conjuntction of custom Divi scripts, OWASP validation, and also on OpenSource solutions.
Summary of Alerts
Risk Level Number of Alerts
High 1
Medium 4
Low 4
Informational 5
Alerts
Name Risk Level Number of Instances
Cloud Metadata Potentially Exposed High 1

.htaccess Information Leak Medium 1
Content Security Policy (CSP) Header Not Set Medium 14
Cross-Domain Misconfiguration Medium 2
Missing Anti-clickjacking Header Medium 14
Server Leaks Version Information via "Server" HTTP Response Header Field Low 187
Strict-Transport-Security Header Not Set Low 186
Timestamp Disclosure - Unix Low 22
X-Content-Type-Options Header Missing Low 187
Information Disclosure - Sensitive Information in HTTP Referrer Header Informational 8
Information Disclosure - Suspicious Comments Informational 28
Re-examine Cache-control Directives Informational 16
Retrieved from Cache Informational 351
User Agent Fuzzer Informational 12
Alert Detail
High Cloud Metadata Potentially Exposed

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP
and Azure.
Description
All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by
using this IP address in the Host header field.
URL https://learning.tokenlab.dev/latest/meta-data/
Method GET
Parameter
Attack 169.254.169.254
Evidence
Based on the successful response status code cloud metadata may have been returned in the response. Check the response data to see if any cloud metadata has been returned.
Other Info
The meta data returned can include information that would allow an attacker to completely compromise the system.
Instances 1
Solution Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.
Reference https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/
CWE Id
WASC Id
Plugin Id 90034
Medium .htaccess Information Leak

htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software
Description
has to offer.
URL https://www.tokenlab.com.br/.htaccess
Method GET
Parameter
Attack
Evidence HTTP/1.1 200 OK
Other Info
Instances 1
Solution Ensure the .htaccess file is not accessible.
Reference http://www.htaccess-guide.com/
CWE Id 94
WASC Id 14
Plugin Id 40032
Medium Content Security Policy (CSP) Header Not Set

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to
Description
declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable
objects such as Java applets, ActiveX, audio and video files.
URL https://www.tokenlab.com.br/
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/ux-ui-widget.png
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/about-us
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases/btbodytech
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases/btfit
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases/cinemark
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases/saint-gobain
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/cases/seguros-unimed
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/contact-us
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/contact-us/commercial
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/home
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/home/
Method GET
Parameter
Attack
Evidence
Other Info
URL https://www.tokenlab.com.br/pt/privacy-policy
Method GET
Parameter
Attack
Evidence
Other Info
Instances 14
Solution Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
Reference http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038
Medium Cross-Domain Misconfiguration

Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
URL https://static.hotjar.com/c/hotjar-3106680.js?sv=7
Method GET
Parameter
Attack
Evidence Access-Control-Allow-Origin: *
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser
Other Info implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used
by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
URL https://www.googletagmanager.com/gtm.js?id=GTM-N5W4P3G
Method GET
Parameter
Attack
Evidence Access-Control-Allow-Origin: *
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser
Other Info implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used
by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Instances 2
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Solution
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same
Origin Policy (SOP) in a more restrictive manner.
Reference https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
CWE Id 264
WASC Id 14
Plugin Id 10098
Medium Missing Anti-clickjacking Header

Description The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
Method GET
Parameter x-frame-options
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Instances 14
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
Solution
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be
framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020
Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities
Description
your web/application server is subject to.
URL https://d335luupugsy2.cloudfront.net/js/integration/2.0.0/rd-js-integration.min.js?v=1
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://d335luupugsy2.cloudfront.net/js/loader-scripts/1e91f88f-ef83-413a-b385-1f07ce22b0e3-loader.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://d335luupugsy2.cloudfront.net/js/rdstation-popups/bricks/rdstation-popup.min.js?v=1
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://d335luupugsy2.cloudfront.net/js/traffic-source-cookie/stable/traffic-source-cookie.min.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://d335luupugsy2.cloudfront.net/scout/bundle.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.google-analytics.com/analytics.js
Method GET
Parameter
Attack
Evidence Golfe2
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/128.ab6c0c382d402661.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/170.61771addbd460c63.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/383.21e175cdaeffcc68.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/543.a2d1b3e2a7095fab.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/605.9199830677b027ef.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/698.f1f03b3837748b26.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/763.020c312be3f1e1c1.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/837.b80c1610bf1f2b1d.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/93.506a992b6f2bdc70.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/962.a26819458b1fc8b5.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Black.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Bold.woff
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Bold.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Light.woff
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Light.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Medium.woff
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Medium.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Regular.woff
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Regular.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Semibold.woff
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/fonts/Montserrat-Semibold.woff2
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/agile-management-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/design-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/devmobile-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/devweb-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/facebook-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/instagram-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/linkedin-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/about-us/quality-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/btbodytech/bt-bodytech-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/btfit/btfit-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/cinemark/cinemark-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/onda/onda-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/saint-gobain/sg-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/cases/seguros-unimed/unimed-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/angular-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/arrival.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/aws-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/aws-logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/calendar.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/chevron-right.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/clients.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/close.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/cookie.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/drop-down.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/exercise.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/gptw01.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/gptw02.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/grails-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/java-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/lang-br.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/lang-en.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/lang-es.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/live.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/menu-chevron.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/news.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/node-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/notebook.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/plan.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/schedule.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/signature.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/swift-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/common/token-logo-dark.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/contact-us/business-contact-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/contact-us/careers-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/contact-us/chevron-down.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/contact-us/others-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/contact-us/sponsorships-events-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/footer/facebook.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/footer/instagram.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/footer/linkedin.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/footer/logo-token.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/bancoPan.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/bodytech.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/cinemark.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/DHL.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/exame.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/flex.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/hsm.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/saint-gobain.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/sirio-libanes.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/brands/unimed.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/home-section/play-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/how-we-operate/chevron-left.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/landingpage/how-we-operate/chevron-right.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/logos/new-logo-bodytech.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/logos/new-logo-btfit.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/icons/logos/new-logo-onda.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/about-us/token-frontage.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/bodytech-app.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/btbodytech-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/btbodytech-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/btbodytech-device-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/customer-bodytech.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/mockup-banner.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/plan.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/search-academies.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/slide-1.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btbodytech/training-visualization.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/bt-device-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/btfit-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/btfit-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/collective-classes-online.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/customer-btfit.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/mockup-banner.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/online-challenge.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/online-personal-trainer.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/slide-1.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/btfit/training-programs.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/cinemark/cinemark-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/cinemark/cinemark-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/cinemark/cinemark-device-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/client-management.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/contact.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/customer-onda.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/map.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/mockup-banner.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/news-and-promotions.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/onda-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/onda-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/onda-device-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/qr-code.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/slide-1.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/onda/wallet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/saint-gobain/saint-gobain-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/saint-gobain/saint-gobain-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/saint-gobain/saintgobain-device-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/unimed/unimed-carousel.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/unimed/unimed-carousel.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/cases/unimed/unimed-our-cases-tablet.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/contact-us/gradient-left.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/contact-us/gradient-right.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/company-background.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/cta-section/cta_logo.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/home-section-bg.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/institucional-tokenlab-poster.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/mask-tokenlab-icon.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/blockchain-widget.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/blockchain-widget.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/elipse.svg
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/iot-widget.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/iot-widget.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/mobile-widget.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/mobile-widget.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/ux-ui-widget.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/web-widget.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/imgs/landingpage/what-we-do/web-widget.webp
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/subtitles/subtitle-pt.vtt
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/assets/videos/landingpage/institucional-tokenlab.webm
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/common.03c32c2bb2758b6f.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/favicon.ico
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/flags@2x.2704c069d12ee746.png
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/main.828229131f1b1e63.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/polyfills.33afb6a5640f31ab.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/robots.txt
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/runtime.ef14e6c1f424c3e6.js
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/sitemap.xml
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
URL https://www.tokenlab.com.br/styles.883d752722b92374.css
Method GET
Parameter
Attack
Evidence AmazonS3
Other Info
Instances 187
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
http://httpd.apache.org/docs/current/mod/core.html#servertokens
http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007
Reference
http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10036
Low Strict-Transport-Security Header Not Set

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it
Description
using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Method GET
Parameter
Attack
Evidence
Other Info
Instances 186
Solution Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://owasp.org/www-community/Security_Headers
Reference http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
http://caniuse.com/stricttransportsecurity
http://tools.ietf.org/html/rfc6797
CWE Id 319
WASC Id 15
Plugin Id 10035
Low Timestamp Disclosure - Unix

Description A timestamp was disclosed by the application/web server - Unix
Method GET
Parameter
Attack
Evidence 1560538149
Other Info 1560538149, which evaluates to: 2019-06-14 15:49:09
Method GET
Parameter
Attack
Evidence 1409305260
Method GET
Parameter
Attack
Evidence 1481256789
Method GET
Parameter
Attack
Evidence 1520123456
Method GET
Parameter
Attack
Evidence 1523456789
Method GET
Parameter
Attack
Evidence 1534456789
Method GET
Parameter
Attack
Evidence 1546012345
Method GET
Parameter
Attack
Evidence 1599123456
Method GET
Parameter
Attack
Evidence 1600123456
Method GET
Parameter
Attack
Evidence 1624756789
Method GET
Parameter
Attack
Evidence 1700123456
Method GET
Parameter
Attack
Evidence 1781234567
Method GET
Parameter
Attack
Evidence 1800123456
Method GET
Parameter
Attack
Evidence 1812345678
Method GET
Parameter
Attack
Evidence 1850123456
Method GET
Parameter
Attack
Evidence 1882352941
Method GET
Parameter
Attack
Evidence 1900123456
Method GET
Parameter
Attack
Evidence 1919123456
Method GET
Parameter
Attack
Evidence 1921234567
Method GET
Parameter
Attack
Evidence 2001234567
Method GET
Parameter
Attack
Evidence 2012345678
Method GET
Parameter
Attack
Evidence 2015550123
Instances 22
Solution Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
Reference http://projects.webappsec.org/w/page/13246936/Information%20Leakage
CWE Id 200
WASC Id 13
Plugin Id 10096
Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the
Description response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy
versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Method GET
Parameter x-content-type-options
Attack
Evidence
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing
Other Info
pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses.
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Method GET
Attack
Evidence
Other Info
Instances 187
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web
application/web server to not perform MIME-sniffing.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021
Informational Information Disclosure - Sensitive Information in HTTP Referrer Header

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list
Description
of strings for this check to add or remove values specific to your environment.
Method GET
Parameter
Attack
Evidence token
Other Info The URL in the HTTP referrer header field appears to contain sensitive information.
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Method GET
Parameter
Attack
Evidence token
Instances 8
Solution Do not pass sensitive information in URIs.
Reference
CWE Id 200
WASC Id 13
Plugin Id 10025
Informational Information Disclosure - Suspicious Comments

The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only
Description
comments.
Method GET
Parameter
Attack
Evidence user
The following pattern was used: \bUSER\b and was detected in the element starting with: "var RdstationFormsIntegration=function(e){var t={};function n(r){if(t[r])return t[r].exports;var
Other Info
o=t[r]={i:r,l:!1,exports:{}};re", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence user
The following pattern was used: \bUSER\b and was detected in the element starting with: "var RdstationPopup=function(e){var t={};function n(i){if(t[i])return t[i].exports;var r=t[i]=
Other Info
{i:i,l:!1,exports:{}};return e[i].c", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence debug
The following pattern was used: \bDEBUG\b and was detected in the element starting with: "!function(){"use strict";function e(e,t){for(var r=0;r<t.length;r++){var
Other Info
n=t[r];n.enumerable=n.enumerable||!1,n.configurable=!0,", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence db
The following pattern was used: \bDB\b and was detected 5 times, the first in the element starting with: "function hf(a,b){var c=gf[a];c&&J(c);"displayFeaturesTask"===a&&void
Other Info
0==b&&J(96);/.*Task$/.test(a)&&J(92)}function mf(a,b){if(a)", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence debug
The following pattern was used: \bDEBUG\b and was detected in the element starting with: "function Pe(a){try{if(!a.get(Qe)&&(a.set(Qe,!0),!a.get("&gtm"))){var b=void 0,c=void
Other Info
0;lf(be("gtm_debug"))&&(b=2);!b&&D(M.referr", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence query
The following pattern was used: \bQUERY\b and was detected 5 times, the first in the element starting with: "c=0>c?a.href:a.href.substr(0,c));a=c;break;case
Other Info
"protocol":a=d;break;case "host":a=a.hostname.replace(N,"").toLowerCase();c&&(c=", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence db
The following pattern was used: \bDB\b and was detected 6 times, the first in the element starting with: "ab=function(a,b){for(var c={},d=c,e=a.split("."),f=0;f<e.length-
Other Info
1;f++)d=d[e[f]]={};d[e[e.length-1]]=b;return c},bb=/^\w{1,9}$/,c", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence debug
The following pattern was used: \bDEBUG\b and was detected 2 times, the first in the element starting with: ""__googtag":{"logging":{"environments":"debug"},"access_globals":
Other Info
{"keys":[{"key":"gtag","read":true,"write":true,"execute":true}", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence query
The following pattern was used: \bQUERY\b and was detected 9 times, the first in the element starting with: "(f=f.substr(k[0].length))}break;case "port":f=String(Number(a.port)||
Other Info
("http"===g?80:"https"===g?443:""));break;case "path":a.pat", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence todo
The following pattern was used: \bTODO\b and was detected in the element starting with: "<script id="serverApp-state" type="application/json">{&q;transfer-translate-pt&q;:
Other Info
{&q;header&q;:{&q;link1&q;:&q;O QUE FAZEMOS&q;", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence from
The following pattern was used: \bFROM\b and was detected in the element starting with: ""use strict";
Other Info
(self.webpackChunktokenlab_novo_website=self.webpackChunktokenlab_novo_website||[]).push([[383],{3057:(P,O,g)=>{g.d", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence SELECT
The following pattern was used: \bSELECT\b and was detected in the element starting with: "
Other Info (self.webpackChunktokenlab_novo_website=self.webpackChunktokenlab_novo_website||[]).push([[837],{2837:(t,o,s)=>{"use strict";s.r", see evidence field for the suspicious
comment/snippet.
Method GET
Parameter
Attack
Evidence user
The following pattern was used: \bUSER\b and was detected in the element starting with: "
Other Info (self.webpackChunktokenlab_novo_website=self.webpackChunktokenlab_novo_website||[]).push([[93],{6703:(Yt,Z,b)=>{"use strict";b.d", see evidence field for the suspicious
comment/snippet.
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence query
The following pattern was used: \bQUERY\b and was detected in the element starting with: "
Other Info (self.webpackChunktokenlab_novo_website=self.webpackChunktokenlab_novo_website||[]).push([[179],{5847:(Ct,Se,T)=>{"use strict";T", see evidence field for the suspicious
comment/snippet.
Method GET
Parameter
Attack
Evidence select
The following pattern was used: \bSELECT\b and was detected in the element starting with: ""use strict";
Other Info
(self.webpackChunktokenlab_novo_website=self.webpackChunktokenlab_novo_website||[]).push([[429],{5565:(rr,Ar,ds)=>{", see evidence field for the suspicious comment/snippet.
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Method GET
Parameter
Attack
Evidence todo
Other Info
Instances 28
Solution Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
Reference
CWE Id 200
WASC Id 13
Plugin Id 10027
Informational Re-examine Cache-control Directives

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be
Description
intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
Method GET
Parameter cache-control
Attack
Evidence max-age=2592000
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Method GET
Attack
Other Info
Instances 16
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public,
Solution
max-age, immutable".
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id 525
WASC Id 13
Plugin Id 10015
Informational Retrieved from Cache

The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this
may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is
Description
primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments,
for instance.
Method GET
Parameter
Attack
Evidence Hit from cloudfront
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Evidence Age: 2481
Other Info The presence of the 'Age' header indicates that that a HTTP/1.1 compliant caching server is in use.
Method GET
Parameter
Attack
Evidence Age: 2482
Method GET
Parameter
Attack
Evidence Age: 2484
Method GET
Parameter
Attack
Evidence Age: 2488
Method GET
Parameter
Attack
Evidence Age: 2490
Method GET
Parameter
Attack
Evidence Age: 2495
Method GET
Parameter
Attack
Evidence Age: 2498
Method GET
Parameter
Attack
Evidence Age: 2504
Method GET
Parameter
Attack
Evidence Age: 2513
Method GET
Parameter
Attack
Evidence Age: 2515
Method GET
Parameter
Attack
Evidence Age: 2521
Method GET
Parameter
Attack
Evidence Age: 2531
Method GET
Parameter
Attack
Evidence Age: 2540
Method GET
Parameter
Attack
Evidence Age: 2549
Method GET
Parameter
Attack
Evidence Age: 2550
Method GET
Parameter
Attack
Evidence Age: 2551
Method GET
Parameter
Attack
Evidence Age: 2556
Method GET
Parameter
Attack
Evidence Age: 2570
Method GET
Parameter
Attack
Evidence Age: 2578
Method GET
Parameter
Attack
Evidence Age: 2580
Method GET
Parameter
Attack
Evidence Age: 2586
Method GET
Parameter
Attack
Evidence Age: 2591
Method GET
Parameter
Attack
Evidence Age: 2596
Method GET
Parameter
Attack
Evidence Age: 2600
Method GET
Parameter
Attack
Evidence Age: 2602
Method GET
Parameter
Attack
Evidence Age: 2609
Method GET
Parameter
Attack
Evidence Age: 2615
Method GET
Parameter
Attack
Evidence Age: 2621
Method GET
Parameter
Attack
Evidence Age: 2623
Method GET
Parameter
Attack
Evidence Age: 2627
Method GET
Parameter
Attack
Evidence Age: 2634
Method GET
Parameter
Attack
Evidence Age: 2637
Method GET
Parameter
Attack
Evidence Age: 2642
Method GET
Parameter
Attack
Evidence Age: 2646
Method GET
Parameter
Attack
Evidence Age: 2657
Method GET
Parameter
Attack
Evidence Age: 2667
Method GET
Parameter
Attack
Evidence Age: 2674
Method GET
Parameter
Attack
Evidence Age: 5663
Method GET
Parameter
Attack
Evidence Age: 5673
Method GET
Parameter
Attack
Evidence Age: 5687
Method GET
Parameter
Attack
Evidence Age: 5715
Method GET
Parameter
Attack
Evidence Age: 5734
Method GET
Parameter
Attack
Evidence Age: 5735
Method GET
Parameter
Attack
Evidence Age: 5739
Method GET
Parameter
Attack
Evidence Age: 5752
Method GET
Parameter
Attack
Evidence Age: 5754
Method GET
Parameter
Attack
Evidence Age: 5755
Method GET
Parameter
Attack
Evidence Age: 5756
Method GET
Parameter
Attack
Evidence Age: 5757
Method GET
Parameter
Attack
Evidence Age: 5765
Method GET
Parameter
Attack
Evidence Age: 5768
Method GET
Parameter
Attack
Evidence Age: 5777
Method GET
Parameter
Attack
Evidence Age: 5788
Method GET
Parameter
Attack
Evidence Age: 5791
Method GET
Parameter
Attack
Evidence Age: 5796
Method GET
Parameter
Attack
Evidence Age: 5800
Method GET
Parameter
Attack
Evidence Age: 5809
Method GET
Parameter
Attack
Evidence Age: 5813
Method GET
Parameter
Attack
Evidence Age: 5824
Method GET
Parameter
Attack
Evidence Age: 5825
Method GET
Parameter
Attack
Evidence Age: 5826
Method GET
Parameter
Attack
Evidence Age: 5841
Method GET
Parameter
Attack
Evidence Age: 5847
Method GET
Parameter
Attack
Evidence Age: 5857
Method GET
Parameter
Attack
Evidence Age: 5873
Method GET
Parameter
Attack
Evidence Age: 5884
Method GET
Parameter
Attack
Evidence Age: 5906
Method GET
Parameter
Attack
Evidence Age: 5913
Method GET
Parameter
Attack
Evidence Age: 5918
Method GET
Parameter
Attack
Evidence Age: 5924
Method GET
Parameter
Attack
Evidence Age: 5926
Method GET
Parameter
Attack
Evidence Age: 5934
Method GET
Parameter
Attack
Evidence Age: 6148
Method GET
Parameter
Attack
Evidence Age: 6150
Method GET
Parameter
Attack
Evidence Age: 6158
Method GET
Parameter
Attack
Evidence Age: 6164
Method GET
Parameter
Attack
Evidence Age: 6169
Method GET
Parameter
Attack
Evidence Age: 6176
Method GET
Parameter
Attack
Evidence Age: 6179
Method GET
Parameter
Attack
Evidence Age: 6181
Method GET
Parameter
Attack
Evidence Age: 6185
Method GET
Parameter
Attack
Evidence Age: 6191
Method GET
Parameter
Attack
Evidence Age: 6196
Method GET
Parameter
Attack
Evidence Age: 6197
Method GET
Parameter
Attack
Evidence Age: 6207
Method GET
Parameter
Attack
Evidence Age: 6224
Method GET
Parameter
Attack
Evidence Age: 6225
Method GET
Parameter
Attack
Evidence Age: 6233
Method GET
Parameter
Attack
Evidence Age: 6234
Method GET
Parameter
Attack
Evidence Age: 6235
Method GET
Parameter
Attack
Evidence Age: 6248
Method GET
Parameter
Attack
Evidence Age: 6252
Method GET
Parameter
Attack
Evidence Age: 6253
Method GET
Parameter
Attack
Evidence Age: 6257
Method GET
Parameter
Attack
Evidence Age: 6262
Method GET
Parameter
Attack
Evidence Age: 6266
Method GET
Parameter
Attack
Evidence Age: 6281
Method GET
Parameter
Attack
Evidence Age: 6282
Method GET
Parameter
Attack
Evidence Age: 6292
Method GET
Parameter
Attack
Evidence Age: 6296
Method GET
Parameter
Attack
Evidence Age: 6303
Method GET
Parameter
Attack
Evidence Age: 6304
Method GET
Parameter
Attack
Evidence Age: 6305
Method GET
Parameter
Attack
Evidence Age: 6313
Method GET
Parameter
Attack
Evidence Age: 6317
Method GET
Parameter
Attack
Evidence Age: 6326
Method GET
Parameter
Attack
Evidence Age: 6334
Method GET
Parameter
Attack
Evidence Age: 6335
Method GET
Parameter
Attack
Evidence Age: 6338
Method GET
Parameter
Attack
Evidence Age: 6344
Method GET
Parameter
Attack
Evidence Age: 6348
Method GET
Parameter
Attack
Evidence Age: 6352
Method GET
Parameter
Attack
Evidence Age: 6356
Method GET
Parameter
Attack
Evidence Age: 6362
Method GET
Parameter
Attack
Evidence Age: 6369
Method GET
Parameter
Attack
Evidence Age: 6374
Method GET
Parameter
Attack
Evidence Age: 6375
Method GET
Parameter
Attack
Evidence Age: 6377
Method GET
Parameter
Attack
Evidence Age: 6384
Method GET
Parameter
Attack
Evidence Age: 6393
Method GET
Parameter
Attack
Evidence Age: 6398
Method GET
Parameter
Attack
Evidence Age: 6401
Method GET
Parameter
Attack
Evidence Age: 6404
Method GET
Parameter
Attack
Evidence Age: 6406
Method GET
Parameter
Attack
Evidence Age: 6413
Method GET
Parameter
Attack
Evidence Age: 6435
Method GET
Parameter
Attack
Evidence Age: 6436
Method GET
Parameter
Attack
Evidence Age: 6441
Method GET
Parameter
Attack
Evidence Age: 6447
Method GET
Parameter
Attack
Evidence Age: 6454
Method GET
Parameter
Attack
Evidence Age: 6460
Method GET
Parameter
Attack
Evidence Age: 6472
Method GET
Parameter
Attack
Evidence Age: 6476
Method GET
Parameter
Attack
Evidence Age: 6477
Method GET
Parameter
Attack
Evidence Age: 6479
Method GET
Parameter
Attack
Evidence Age: 6482
Method GET
Parameter
Attack
Evidence Age: 6495
Method GET
Parameter
Attack
Evidence Age: 6498
Method GET
Parameter
Attack
Evidence Age: 6504
Method GET
Parameter
Attack
Evidence Age: 6512
Method GET
Parameter
Attack
Evidence Age: 6519
Method GET
Parameter
Attack
Evidence Age: 6526
Method GET
Parameter
Attack
Evidence Age: 6529
Method GET
Parameter
Attack
Evidence Age: 6531
Method GET
Parameter
Attack
Evidence Age: 6535
Method GET
Parameter
Attack
Evidence Age: 6536
Method GET
Parameter
Attack
Evidence Age: 6552
Method GET
Parameter
Attack
Evidence Age: 6559
Method GET
Parameter
Attack
Evidence Age: 6563
Method GET
Parameter
Attack
Evidence Age: 6564
Method GET
Parameter
Attack
Evidence Age: 6565
Method GET
Parameter
Attack
Evidence Age: 6571
Method GET
Parameter
Attack
Evidence Age: 6577
Method GET
Parameter
Attack
Evidence Age: 6585
Method GET
Parameter
Attack
Evidence Age: 6589
Method GET
Parameter
Attack
Evidence Age: 6595
Method GET
Parameter
Attack
Evidence Age: 6602
Method GET
Parameter
Attack
Evidence Age: 6610
Method GET
Parameter
Attack
Evidence Age: 6613
Method GET
Parameter
Attack
Evidence Age: 6624
Method GET
Parameter
Attack
Evidence Age: 6628
Method GET
Parameter
Attack
Evidence Age: 6633
Method GET
Parameter
Attack
Evidence Age: 6635
Method GET
Parameter
Attack
Evidence Age: 6636
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Evidence Age: 490792
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Method GET
Parameter
Attack
Other Info
Instances 351
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent
the content being stored and retrieved from the cache by another user:
Cache-Control: no-cache, no-store, must-revalidate, private
Solution Pragma: no-cache
Expires: 0
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in
response to a similar request.
https://tools.ietf.org/html/rfc7234
Reference https://tools.ietf.org/html/rfc7231
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)
CWE Id
WASC Id
Plugin Id 10050
Informational User Agent Fuzzer

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the
Description
response body with the original response.
URL https://learning.tokenlab.dev/
Method GET
Parameter Header User-Agent
Attack Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Evidence
Other Info
Method GET
Evidence
Other Info
Method GET
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Evidence
Other Info
Method GET
Attack Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Evidence
Other Info
Method GET
Attack msnbot/1.1 (+http://search.msn.com/msnbot.htm)
Evidence
Other Info
Instances 12
Solution
Reference https://owasp.org/wstg
CWE Id
WASC Id
Plugin Id 10104

(Divi Report) Tokenlab

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Divi Report) Tokenlab

Uploaded by

Copyright:

Available Formats

[Divi Report] Tokenlab

Sites: https://learning.tokenlab.dev https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com

Risk Level Number of Alerts

Name Risk Level Number of Instances

Cloud Metadata Potentially Exposed High 1

High Cloud Metadata Potentially Exposed

Medium .htaccess Information Leak

Medium Content Security Policy (CSP) Header Not Set

Medium Cross-Domain Misconfiguration

Medium Missing Anti-clickjacking Header

Low Strict-Transport-Security Header Not Set

Low Timestamp Disclosure - Unix

Low X-Content-Type-Options Header Missing

Informational Information Disclosure - Sensitive Information in HTTP Referrer Header

Informational Information Disclosure - Suspicious Comments

Informational Re-examine Cache-control Directives

Informational Retrieved from Cache

Cache-Control: no-cache, no-store, must-revalidate, private

Solution Pragma: no-cache

Informational User Agent Fuzzer

You might also like