Comprehensive New WWW Six Group Com

Comprehensive Report
Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been
High discovered by the scanner. A malicious user can exploit these

vulnerabilities and compromise the backend database and/or
deface your website.
Scan Detail
Target www.six-group.com
Scan Type Full Scan
Start Time Apr 1, 2024, 3:47:46 PM GMT-7
Scan Duration 54 minutes
Requests 32462
Average Response Time 239ms
Maximum Response Time 24281ms
Application Build v23.9.230927167
1
0 1 1 1 8
Critical High Medium Low Informational
Severity Vulnerabilities Instances
Critical 0 0
High 1 1
Medium 1 1
Low 1 1
Informational 4 8
Total 7 11
2
High Severity
Instances
Certificate is Signed Using a Weak Signature A… 1
Medium Severity
Instances
SSL Certificate Name Hostname Mismatch 1
Low Severity
Instances
Clickjacking: CSP frame-ancestors missing 1
Informational
Instances
Content Security Policy Misconfiguration 5
Generic Email Address Disclosure 1
HTTP Strict Transport Security (HSTS) Errors a… 1
Others 1
3
Impacts
SEVERITY IMPACT
High 1 Certificate is Signed Using a Weak Signature Algorithm
Medium 1 SSL Certificate Name Hostname Mismatch
Low 1 Clickjacking: CSP frame-ancestors missing
Informational 5 Content Security Policy Misconfiguration
Informational 1 Generic Email Address Disclosure
Informational 1 HTTP Strict Transport Security (HSTS) Errors and Warnings
Informational 1 Subresource Integrity (SRI) Not Implemented
4
Certificate is Signed Using a Weak Signature
Algorithm
Acunetix detected that a certificate is signed using a weak signature algorithm.
The weak signature algorithm is known to be cryptographically weak and vulnerable to collision attacks.
Impact
Attackers can observe the encrypted traffic between your website and its visitors by leveraging the use of
this vulnerability.
https://www.six-group.com/
Subject: C=CH,O=SwissSign AG,CN=SwissSign Gold CA - G2
Issuer: C=CH,O=SwissSign AG,CN=SwissSign Gold CA - G2
Public Key Algorithm: rsaEncryption
Hash Algorithm: sha1
Certificate: -----BEGIN CERTIFICATE-----

MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
5
45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ -----END CERTIFICATE-----
Recommendation
You'll need to generate a new certificate request, and get your CA to issue you a new certificate using SHA-2.
References
OWASP - Insecure Configuration Management

https://wiki.owasp.org/index.php/Insecure_Configuration_Management
SHA1 Deprecation - What You Need to Know

https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
Why Google is Hurrying the Web to Kill SHA-1

https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
MD5 Considered Harmful Today - Creating a Rogue CA Certificate

https://www.win.tue.nl/hashclash/rogue-ca/
OWASP Top 10-2017 A3-Sensitive Data Exposure
https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
MS Security Advisory - Research Proves Feasibility of Collision Attacks Against MD5
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2008/961509#research-proves-
feasibility-of-collision-attacks-against-md5
SSL Certificate Name Hostname Mismatch

Acunetix detected a hostname mismatch in the SSL certificate. This happens when the common name to
which an SSL Certificate is issued (e.g., www.example.com) doesn't exactly match the name displayed in
the URL bar.
Impact
6
It can impact both website and the users:
Warning error messages displayed by browsers when visiting the site

Personal information at risk from man-in-the-middle attacks
Reduction in trust as the site becomes insecure
Ability for an attacker to create identical phishing website
Subject: C=CH,ST=ZH,L=Zurich,O=SIX Group Services AG,CN=www.six-securities-services.com
Issuer: C=CH,O=SwissSign AG,CN=SwissSign RSA TLS OV ICA 2021 - 1
Public Key Algorithm: rsaEncryption
Hash Algorithm: sha256
Certificate: -----BEGIN CERTIFICATE-----

MIIJ9TCCB92gAwIBAgIUa58oinUrq4By+JcS4x3maam0Xl0wDQYJKoZIhvcNAQEL
BQAwUDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEqMCgGA1UE
AxMhU3dpc3NTaWduIFJTQSBUTFMgT1YgSUNBIDIwMjEgLSAxMB4XDTIzMDcxMTA5
MTYwM1oXDTI0MDcxMTA5MTYwM1owdTELMAkGA1UEBhMCQ0gxCzAJBgNVBAgTAlpI
MQ8wDQYDVQQHEwZadXJpY2gxHjAcBgNVBAoTFVNJWCBHcm91cCBTZXJ2aWNlcyBB
RzEoMCYGA1UEAxMfd3d3LnNpeC1zZWN1cml0aWVzLXNlcnZpY2VzLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPDl2AteuHwERgtG5ngYOwfiCLaL
q5Duc2LcavD7nCAlE0Nks8ocWIofKD2wEHRY1+yWzqtMYLfa6PpG9VrAZLqik1PB
01bUXsG5qTtPH+0qsJlCM+BsKrYyRms4TQdpC5SfkjIEHUd49+XyckSif9LyUqj1
AUNMGz8Ole9WoVsT6/W7lYCIgR50IRZ1L83j7KFcTBs8v4MH1S0xdcCYX5APGiVq
vv9jZX9JkwFpDpCRrF8XlPSBrA6NigohtiHOXAW1jaBBQUQNxg9WMysRr6KT0WlQ
h9XJAUJ/vPDxiTlQuEbZ6r9ffxPD0Kg8Vr9eExjsWoWMQoFuEtTFcwuNF00CAwEA
AaOCBaAwggWcMIIBbAYDVR0RBIIBYzCCAV+CH3d3dy5zaXgtc2VjdXJpdGllcy1z
ZXJ2aWNlcy5jb22CEnd3dy5zaXgtcGF5bmV0LmNvbYIQd3d3LmNhZmUtd2VzdC5j
aIIRd3d3LnNpeC1ncm91cC5jb22CEHd3dy5zaXgtcmVwby5jb22CFnd3dy5jb252
ZW50aW9ucG9pbnQuY2iCD3d3dy50ZXJyYXZpcy5jaIIUd3d3LnN0b2NrZXhjaGFu
Z2UuY2iCE3d3dy5maW5hbnptdXNldW0uY2iCEXd3dy5zaXgtZ3JvdXAub3Jnggxz
aXgtZ3JvdXAuY2iCDXNpeC1ncm91cC5jb22CEmNvbnZlbnRpb25wb2ludC5jaIIb
c2l4LXNlY3VyaXRpZXMtc2VydmljZXMuY29tggxjYWZlLXdlc3QuY2iCEHN0b2Nr
ZXhjaGFuZ2UuY2iCD2ZpbmFuem11c2V1bS5jaIILdGVycmF2aXMuY2gwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E
FgQUGkWY7IZSAiOsvsGz1siHKvV9RrMwHwYDVR0jBBgwFoAUrNA6wsJXVZFpEcxw
alk4ioysnD0wgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3Np
Z24ubmV0L0FDRDAzQUMyQzI1NzU1OTE2OTExQ0M3MDZBNTkzODhBOENBQzlDM0Qw
gaiggaWggaKGgZ9sZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049QUNE
MDNBQzJDMjU3NTU5MTY5MTFDQzcwNkE1OTM4OEE4Q0FDOUMzRCUyQ089U3dpc3NT
aWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwbwYDVR0gBGgwZjBQBghghXQBWQIB
AjBEMEIGCCsGAQUFBwIBFjZodHRwczovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv
7
bS9Td2lzc1NpZ25fQ1BTX1RMUy5wZGYwCAYGBACPegEHMAgGBmeBDAECAjCBxgYI
KwYBBQUHAQEEgbkwgbYwZAYIKwYBBQUHMAKGWGh0dHA6Ly9zd2lzc3NpZ24ubmV0
L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkL0FDRDAzQUMyQzI1NzU1OTE2OTEx
Q0M3MDZBNTkzODhBOENBQzlDM0QwTgYIKwYBBQUHMAGGQmh0dHA6Ly9vY3NwLnN3
aXNzc2lnbi5uZXQvQUNEMDNBQzJDMjU3NTU5MTY5MTFDQzcwNkE1OTM4OEE4Q0FD
OUMzRDCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUAVYHUwhaQNgFK6gubVzxT
8MDkOHhwJQgXL6OqHQcT0wwAAAGJRDyFBgAABAMARjBEAiAHHHYrwb7KMWb8BV9D
bezjYqpXrHDNt367Z00lQsD8awIgfudaZCFK6Ge7B7v55NIs6MydZuR/lm0ce8Sf
2DpjPEIAdQDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYlEPIOx
AAAEAwBGMEQCIHYhWahoWNtmgnSCKc9vK7JhwuYHVxyz8XESUR9uQkYfAiBuGU6r
zrgjpSC8bX5iodFSIID2v5bS1/gPbWriL+zgCQB3AO7N0GTV2xrOxVy3nbTNE6Iy
h0Z8vOzew1FIWUZxH7WbAAABiUQ8hZ8AAAQDAEgwRgIhAODz1iw5UJxeGzlk5uWW
lp4I9gPFIDLAf2KQC9BrGYufAiEA+QqVWGb8b4XaFT4XkCQyx/6oiIJKOsPo30YD
KGgoqYUwDQYJKoZIhvcNAQELBQADggIBAL4z6/ghYija60g0uMR8G1yzVCnwIUtc
c0mlMua6dyyKxOkOJyUc1N9NxlrjY3QeohzrHsH0rFpQbH/OcigXNO0KHWLdaHV+
NZAu0YOGESZKu7z5yv0hIk5iELqsjW4HDmXUrhCWUAJ/qzt0DzuqLBTae0u+Pqo3
/c9i2TeyDsoRwvZfTfIlRCJXNYnaEOHuY8jj5z5R7pezdlBDV9DL/L/IEaHk+2HS
MRCK3qAf67cngRE8Y4KDXgBvHQ6cCo/7bHODDwhnESr3SGIk1n4T+b2M/kyi6skQ
R1otuE1VLZCuppD5hgJaAIuW6D/NwG/B2rXPghAyZpU5UKVTjYTJ9nmR5IPEms33
M8UY1Bc6vEYm/Y9mEV9tj2ZarBLnBjTx9rOmRRz1W3E212Dc72Vg3QbLGCc14oAF
kHHD2A/C3w6NrtXEgxGZj3Vqbeis8CHL0L3wAzA5Y+SPYfmShAps0yao83e2oxJx
CPH+wn/MQ57gA5/gT6V9i/wLF+NUAoJO3Zra8+NUN9iasX76e07FRoWXQgJu/+ky
ElCki6fNtPkhIp3AzyGD0D3sq5E/KBZtHr/ffzv2vK3l/fDeoCf75WgIE4O51C5y
C1sCY+4ae4fZJKuKg2BTplgM6ToDyqzf3GmiuqH0HS/X6nBfbKul8sSZiMVLCwDw /TBZXqfLjI9k -----END
CERTIFICATE-----
Recommendation
The process of fixing name-hostname mismatch issues varies depending on the host or the certificate
authority used. Please refer to the corresponding documentation.
References
What Is an SSL Common Name Mismatch Error and How Do I Fix It?
https://www.globalsign.com/en/blog/what-is-common-name-mismatch-error
Clickjacking: CSP frame-ancestors missing

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of
tricking a Web user into clicking on something different from what the user perceives they are clicking on,
thus potentially revealing confidential information or taking control of their computer while clicking on
seemingly innocuous web pages.
8
The server didn't return a frame-ancestors directive in the Content-Security-Policy header which means
that this website could be at risk of a clickjacking attack. The frame-ancestors directives can be used to
indicate whether or not a browser should be allowed to render a page inside a frame. Sites can use this to
avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Impact
The impact depends on the affected web application.
Paths without CSP frame-ancestors:
https://www.six-group.com/errorpages/assets/fonts/fontawesome/
https://www.six-group.com/assets/fonts/
https://www.six-group.com/sitemap.xml.gz
https://www.six-group.com/en/home.html
https://www.six-group.com/assets/
https://www.six-group.com/en/
https://www.six-group.com/errorpages/assets/fonts/fontawesome/assets/
https://www.six-group.com/errorpages/
https://www.six-group.com/errorpages/assets/images/
https://www.six-group.com/errorpages/assets/fonts/icons/
https://www.six-group.com/errorpages/assets/
https://www.six-group.com/errorpages/assets/fonts/
https://www.six-group.com/.htpasswd
https://www.six-group.com/.passwd
https://www.six-group.com/account
https://www.six-group.com/account.asp
https://www.six-group.com/account.aspx
9
https://www.six-group.com/account.jsp
https://www.six-group.com/account.php
https://www.six-group.com/admin.htm
https://www.six-group.com/admin.html
Request
GET /errorpages/assets/fonts/fontawesome/ HTTP/1.1
Referer: https://www.six-group.com/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/117.0.0.0 Safari/537.36
Host: www.six-group.com
Connection: Keep-alive
Recommendation
Configure your web server to include a CSP header with frame-ancestors directive and an X-Frame-Options
header. Consult Web references for more information about the possible values for this header.
References
OWASP Clickjacking
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
CSP: frame-ancestors
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
The X-Frame-Options response header

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Content Security Policy Misconfiguration

Acunetix evaluated the scan target's Content Security Policies, checked for misconfigurations and
potentially unintended side-effects of otherwise valid configurations, and offers the following suggestions
on how to change existing policies for improved security and maximum compatibility.
Impact
Consult References for more information.
10
https://www.six-group.com/ Verified
An Unsafe Content Security Policy (CSP) Directive in Use

First observed on: https://www.six-group.com/errorpages/assets/fonts/fontawesome/
CSP Value: base-uri 'none'; default-src 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
CSP Source: header
Summary: Acunetix detected that one of following CSP directives is used: unsafe-eval, unsafe-inline. By using
unsafe-eval, you allow the use of string evaluation functions like eval. By using unsafe-inline, you allow the
execution of inline scripts, which almost defeats the purpose of CSP. When this is allowed, it's very easy to
successfully exploit a Cross-site Scripting vulnerability on your website.
Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully.
Remediation: If possible remove unsafe-eval and unsafe-inline from your CSP directives.
References:
N/A
Request
default-src Used in Content Security Policy (CSP)

First observed on: https://www.six-group.com/errorpages/assets/fonts/fontawesome/
CSP Value: base-uri 'none'; default-src 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
CSP Source: header
Summary: Acunetix detected that you used default-src in CSP directive. It is important to know that default-
src cannot be used as a fallback for the functions below: base-uri, form-action, frame-ancestors, plugin-types,
report-uri, sandbox
Impact: N/A
Remediation: N/A
References:
N/A
Request
11
Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive

First observed on: https://www.six-group.com/admin.htm
CSP Value: default-src 'self' 'unsafe-inline' 'unsafe-eval' analytics.twitter.com assets.juicer.io
cdns.eu1.gigya.com cdn.cookielaw.org cdn.knightlab.com code.jquery.com connect.facebook.net
geolocation.onetrust.com munchkin.marketo.net optanon.blob.core.windows.net snap.licdn.com static.ads-
twitter.com www.buzzsprout.com *.googletagmanager.com www.google.com www.googleadservices.com
www.gstatic.com www.youtube.com *.analytics.google.com *.google-analytics.com *.googleapis.com 505-
xng-882.mktoweb.com 636-tke-312.mktoweb.com fonts.googleapis.com info.six-group.com
info.finanzmuseum.ch info.ebill.ch accounts.eu1.gigya.com adservice.google.com ad.doubleclick.net
cookies-data.onetrust.io graph.facebook.com info-sandbox.six-group.com privacyportal-ch.onetrust.com
*.g.doubleclick.net www.juicer.io 505-xng-882.mktoresp.com 636-tke-312.mktoresp.com 505-xng-
882.mktoutil.com 636-tke-312.mktoutil.com www.six-structured-products.com *.google.com *.google.ad
*.google.at *.google.com.au *.google.be *.google.ca *.google.ch *.google.de *.google.dk *.google.es
*.google.fi *.google.fr *.google.gr *.google.com.hk *.google.ie *.google.im *.google.is *.google.it
*.google.co.jp *.google.li *.google.lu *.google.nl *.google.no *.google.pt *.google.se *.google.com.sg
*.google.sm *.google.co.uk www.schweizeraktien.net fonts.gstatic.com data: cdnapisec.kaltura.com
googleads.g.doubleclick.net player.vimeo.com *.transistor.fm www.facebook.com www.federli.ch
www.youtube-nocookie.com *.fls.doubleclick.net anchor.fm podcasters.spotify.com; img-src https: data:;
report-uri /api/six/cspreport; report-to csp-endpoint;
CSP Source: header
Summary: Acunetix detected that wildcard was used in domain portion of a CSP directive.
Impact: This means you trust all of the subdomains of this domain, if this is the case there is no impact.
Remediation: If you trust all of the subdomains and if this is necessary then you do not need to take any
actions. However if this is not the case replace the wildcard with the only subdomain that you trust.
References:
N/A
Request
GET /admin.htm HTTP/1.1
12
data: Used in a Content Security Policy (CSP) Directive

CSP Source: header
Summary: Acunetix detected data: use in a CSP directive.
Impact: An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully by using data:
protocol.
Remediation: Remove data: sources from your CSP directives.
References:
N/A
Request
Scheme URI Detected in Content Security Policy (CSP) Directive

13
CSP Source: header
Summary: Acunetix detected that scheme URI was used in CSP directive.
Impact: This means that scheme URI in script-src (http: or https:) allows the execution of unsafe scripts.
Remediation: Replace the scheme URI with the domain that you trust.
References:
N/A
Request
Recommendation
See alert details for available remediation advice.
References
Using Content Security Policy (CSP) to Secure Web Applications

https://www.invicti.com/blog/web-security/content-security-policy/
The dangers of incorrect CSP implementations

https://www.invicti.com/blog/web-security/negative-impact-incorrect-csp-implementations/
Leverage Browser Security Features to Secure Your Website

https://www.invicti.com/blog/web-security/leverage-browser-security-features-secure-website/
14
Generic Email Address Disclosure
One or more email addresses have been found on this website. The majority of spam comes from email
addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors)
are programs that scour the internet looking for email addresses on any website they come across.
Spambot programs look for strings like myname@mydomain.com and then record any addresses found.
Impact
Email addresses posted on Web sites may attract spam.
Emails found:
https://www.six-group.com/errorpages/assets/fonts/fontawesome/
internet@six-group.com
https://www.six-group.com/assets/fonts/
https://www.six-group.com/sitemap.xml.gz
https://www.six-group.com/en/home.html
https://www.six-group.com/assets/
https://www.six-group.com/en/
https://www.six-group.com/errorpages/assets/fonts/fontawesome/assets/
https://www.six-group.com/errorpages/
https://www.six-group.com/errorpages/assets/images/
https://www.six-group.com/errorpages/assets/fonts/icons/
https://www.six-group.com/errorpages/assets/
https://www.six-group.com/errorpages/assets/fonts/
https://www.six-group.com/.htpasswd
15
https://www.six-group.com/.passwd
https://www.six-group.com/account
https://www.six-group.com/account.asp
https://www.six-group.com/account.aspx
https://www.six-group.com/account.jsp
https://www.six-group.com/account.php
https://www.six-group.com/ajax.php
https://www.six-group.com/de/services/404.html
Request
Recommendation
Check references for details on how to solve this problem.
References
Anti-spam techniques
https://en.wikipedia.org/wiki/Anti-spam_techniques
HTTP Strict Transport Security (HSTS) Errors and

Warnings
HTTP Strict Transport Security (HSTS) instructs a web browser to only connect to a web site using HTTPS. It
was detected that your web application's HTTP Strict Transport Security (HSTS) implementation is not as
16
strict as is typically advisable.
Impact
HSTS can be used to prevent and/or mitigate some types of man-in-the-middle (MitM) attacks
URLs where HSTS configuration is not according to best practices:
https://www.six-group.com/errorpages/assets/fonts/fontawesome/ - No includeSubDomains directive

https://www.six-group.com/assets/fonts/ - No includeSubDomains directive
https://www.six-group.com/sitemap.xml.gz - No includeSubDomains directive
https://www.six-group.com/en/home.html - No includeSubDomains directive
https://www.six-group.com/assets/ - No includeSubDomains directive
https://www.six-group.com/en/ - No includeSubDomains directive
https://www.six-group.com/errorpages/assets/fonts/fontawesome/assets/ - No includeSubDomains directive
https://www.six-group.com/errorpages/ - No includeSubDomains directive
https://www.six-group.com/errorpages/assets/images/ - No includeSubDomains directive
https://www.six-group.com/errorpages/assets/fonts/icons/ - No includeSubDomains directive
https://www.six-group.com/errorpages/assets/ - No includeSubDomains directive
https://www.six-group.com/errorpages/assets/fonts/ - No includeSubDomains directive
https://www.six-group.com/.htpasswd - No includeSubDomains directive
https://www.six-group.com/.passwd - No includeSubDomains directive
https://www.six-group.com/account - No includeSubDomains directive
https://www.six-group.com/account.asp - No includeSubDomains directive
https://www.six-group.com/account.aspx - No includeSubDomains directive
https://www.six-group.com/account.jsp - No includeSubDomains directive
https://www.six-group.com/account.php - No includeSubDomains directive
https://www.six-group.com/admin.htm - No includeSubDomains directive
https://www.six-group.com/admin.html - No includeSubDomains directive
Request
Recommendation
It is recommended to implement best practices of HTTP Strict Transport Security (HSTS) in your web
application. Consult web references for more information.
17
References
hstspreload.org
https://hstspreload.org/
MDN: Strict-Transport-Security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Subresource Integrity (SRI) Not Implemented

Subresource Integrity (SRI) is a security feature that enables browsers to verify that third-party resources
they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing
developers to provide a cryptographic hash that a fetched file must match.
Third-party resources (such as scripts and stylesheets) can be manipulated. An attacker that has access or
has hacked the hosting CDN can manipulate or replace the files. SRI allows developers to specify a base64-
encoded cryptographic hash of the resource to be loaded. The integrity attribute containing the hash is
then added to the <script> HTML element tag. The integrity string consists of a base64-encoded hash,
followed by a prefix that depends on the hash algorithm. This prefix can either be sha256, sha384 or sha512.
The script loaded from the external URL specified in the Details section doesn't implement Subresource
Integrity (SRI). It's recommended to implement Subresource Integrity (SRI) for all the scripts loaded from
external hosts.
Impact
An attacker that has access or has hacked the hosting CDN can manipulate or replace the files.
Pages where SRI is not implemented:
Script SRC: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
Request
18
Recommendation
Use the SRI Hash Generator link (from the References section) to generate a <script> element that
implements Subresource Integrity (SRI).
For example, you can use the following <script> element to tell a browser that before executing the
https://example.com/example-framework.js script, the browser must first compare the script to the
expected hash, and verify that there's a match.
<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
References
Subresource Integrity
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
SRI Hash Generator

https://www.srihash.org/
19
Coverage
https://www.six-group.com
api
six
cspreport
.DS_Store
.htpasswd
.listing
.passwd
.user.ini
admin.htm
admin.html
admin.php
api.bak
api.cfg
api.csv
api.dump
api.ini
api.old
api.ost
api.pst
api.sh
api.sln
authorized_keys
bigdump.php
customers.csv
database.csv
databases.yml
db.csv
dead.letter
debug.php
environment.rb
20
global.asa.bak
global.asa.old
global.asa.orig
global.asa.temp
global.asa.tmp
global.asax.bak
global.asax.old
global.asax.orig
global.asax.temp
global.asax.tmp
htaccess.bak
id_dsa
log.htm
log.html
logs.htm
logs.html
members.csv
orders.csv
php.ini
phpliteadmin.php
propel.ini
sales.csv
schema.yml
service.asmx
test.asp
test.aspx
test.chm
test.htm
test.html
test.jsp
test.php
users.csv
users.db
21
users.ini
validator.php
web.config.bak
web.config.bakup
web.config.old
web.config.temp
web.config.tmp
webstats.html
wwwstats.htm
assets
fonts
bin
search
autocomplete
content
dam
six
layout
meta
six
global
es
services
search
dam
images
career
layout
meta
de
blog
company-growth.html
crypto.html
currency-codes.html
22
financial-data.html
financial-market-infrastructure.html
payment-transactions.html
people-and-culture.html
six-annual-report-2023.html
stock-exchanges.html
what-is-the-smi.html
why-you-need-climate-data.html
careers
apprentices
career-insights.html
commercial-apprenticeship.html
digital-business-developer-apprenticeship.html
it-apprenticeship.html
mediamatic-apprenticeship.html
schools.html
contacts
human-resources.html
discover
benefits-personal-growth.html
diversity-at-six.html
employees.html
professionals
it-careers.html
jobs-poland.html
jobs-spain.html
students-graduates
graduate-program.html
internship.html
working-students.html
apprentices.html
discover.html
jobs.html
23
professionals.html
students-graduates.html
company
contacts
head-office.html
governance
board-of-directors.html
compliance.html
executive-board.html
monitoring-and-regulation.html
risk-management.html
security.html
investors
annual-reporting.html
the-future-of-finance-is-now
research-reports.html
six-fintech-ventures.html
awards.html
events.html
governance.html
investors.html
procurement.html
sustainability.html
the-future-of-finance-is-now.html
contacts
banking-services.html
financial-information.html
securities-services.html
swiss-stock-exchange.html
market-data
bonds.html
data-services.html
etfs.html
24
etps.html
indices.html
mutual-funds.html
news-and-tools.html
shares.html
statistics.html
structured-products.html
newsroom
contacts
press-office.html
magazines
archive.html
pay-magazine.html
podcasts
six-podcast.html
swiss-exchange-podcast.html
imagery.html
magazines.html
media-contacts.html
media-releases.html
news.html
podcasts.html
red-newsletter.html
products-services
banking-services
data-ai
ai-outlook.html
atm-services.html
billing-and-payments.html
blink.html
data-ai.html
debit-and-mobile-services.html
interbank-clearing.html
25
payment-standardization.html
financial-information
display-and-delivery-capabilities.html
esg-data.html
indices.html
reference-pricing-data.html
regulatory-services.html
securities-services
clearing.html
download-center.html
securities-finance.html
settlement-and-custody.html
tax-services.html
trade-repository.html
specialized-offerings
conventionpoint.html
finanzmuseum.html
terravis.html
the-swiss-stock-exchange
education.html
listing.html
market-data.html
trading.html
spanish-stock-exchange.html
specialized-offerings.html
the-swiss-stock-exchange.html
services
legal
cookie-policy.html
privacy-statement.html
26
terms-of-use.html
404.html
search.html
blog.html
careers.html
company.html
contacts.html
home.html
market-data.html
newsroom.html
products-services.html
en
careers
apprentices
career-insights.html
commercial-apprenticeship.html
digital-business-developer-apprenticeship.html
it-apprenticeship.html
mediamatic-apprenticeship.html
schools.html
contacts
human-resources.html
discover
benefits-personal-growth.html
diversity-at-six.html
employees.html
professionals
it-careers.html
jobs-poland.html
jobs-spain.html
students-graduates
graduate-program.html
internship.html
27
working-students.html
apprentices.html
discover.html
jobs.html
professionals.html
students-graduates.html
company
contacts
head-office.html
governance
board-of-directors.html
compliance.html
executive-board.html
monitoring-and-regulation.html
risk-management.html
security.html
investors
annual-reporting.html
the-future-of-finance-is-now
research-reports.html
six-fintech-ventures.html
awards.html
events.html
governance.html
investors.html
procurement.html
sustainability.html
the-future-of-finance-is-now.html
contacts
swiss-stock-exchange.html
28
market-data
bonds.html
data-services.html
etfs.html
etps.html
indices.html
mutual-funds.html
news-and-tools.html
shares.html
statistics.html
newsroom
contacts
press-office.html
magazines
archive.html
pay-magazine.html
podcasts
six-podcast.html
swiss-exchange-podcast.html
imagery.html
magazines.html
media-contacts.html
media-releases.html
news.html
podcasts.html
red-newsletter.html
products-services
banking-services
atm-services
managed-services
cash-management.html
monitoring.html
transaction-processing
29
nfc.html
qr-code.html
atm-outsourcing.html
managed-services.html
transaction-processing.html
billing-and-payments
ebill-dd-project
financial-institutions.html
invoice-issuers.html
invoice-recipients.html
network-partners.html
direct-debits.html
ebill-dd-project.html
ebill.html
instant-payments.html
member-section.html
newsletter.html
payment-standards.html
qr-bill.html
scheme-on-scheme.html
data-ai
advanced-analytics.html
ai-outlook.html
payment-enrichment.html
debit-and-mobile-services
digital-services.html
issuer-services.html
issuing-processing.html
license-sponsoring.html
new-debit-products.html
six-account-gateway.html
interbank-clearing
eurosic
30
payments-ch-li.html
payments-euro-zone.html
sepa-payments.html
online-services
download-bank-master.html
inquiry-iid.html
system-status.html
eurosic.html
info-center.html
online-services.html
sic.html
payment-standardization
downloads-faq
faq.html
glossary.html
expertise
mandates.html
tools.html
standards
ebics.html
iban.html
iso-20022.html
qr-bill.html
sepa.html
downloads-faq.html
expertise.html
standards.html
swiss-payments.html
atm-services.html
billing-and-payments.html
blink.html
data-ai.html
31
debit-and-mobile-services.html
interbank-clearing.html
payment-standardization.html
financial-information
display-and-delivery-capabilities
apid.html
ips.html
mdf.html
regulatory-hub.html
six-api.html
six-connect.html
sixflex.html
sixid.html
vdf.html
esg-data
esg-data-hub.html
esg-regrisk-management.html
esg-solutions.html
indices-esg.html
indices
benchmark-regulation.html
crypto-indices.html
customized-indices.html
nordic-indices.html
swiss-indices.html
reference-pricing-data
corporate-actions-data.html
evaluated-pricing.html
fund-data.html
global-market-data.html
reference-data.html
regulatory-services
esg-regrisk-management.html
32
investor-protection.html
reporting-services.html
tax-and-compliance.html
display-and-delivery-capabilities.html
esg-data.html
indices.html
reference-pricing-data.html
regulatory-services.html
securities-services
clearing
clearing-membership.html
clearing-products.html
info-center.html
redirect.html
securities-finance
collateral-cockpit.html
info-center.html
repo.html
securities-lending-borrowing.html
triparty-collateral-management.html
settlement-and-custody
asset-servicing.html
global-fund-services.html
info-center.html
international-custody.html
issuer-services.html
settlement-and-t2s.html
swiss-custody.html
technical-connectivity.html
tax-services
advanced-tax-services.html
regulatory-tax-services.html
standard-tax-services.html
33
trade-repository
info-center.html
clearing.html
securities-finance.html
settlement-and-custody.html
tax-services.html
trade-repository.html
specialized-offerings
conventionpoint.html
finanzmuseum.html
terravis.html
the-swiss-stock-exchange
education
advanced-training.html
contacts.html
course-finder.html
derivatives-fundamentals.html
derivatives-master.html
equity-issuers.html
financial-markets.html
post-trading.html
pre-ipo.html
trading.html
listing
bonds.html
connexor.html
equities.html
etfs-etps-and-funds.html
market-data
bonds.html
34
data-services.html
etf.html
etp.html
indices.html
mutual-funds.html
news-tools.html
shares.html
statistics.html
trading
markets.html
participation.html
sustainability.html
trading-platform.html
trading-provisions.html
education.html
listing.html
market-data.html
trading.html
spanish-stock-exchange.html
specialized-offerings.html
the-swiss-stock-exchange.html
services
legal
cookie-policy.html
privacy-statement.html
terms-of-use.html
404.html
search.html
35
blog.html
careers.html
company.html
contacts.html
home.html
market-data.html
newsroom.html
products-services.html
errorpages
assets
fonts
fontawesome
assets
fonts
icons
images
es
services
404.html
blog.html
home.html
etc.clientlibs
ihcc
components
list
newest_pages_list
assets
fonts
clientlibs.min.ACSHASH224cf70db02f020052852a2a9e41c627.css
libs
clientlibs-sixheadlibs.min.ACSHASHc9668fd2aecc0ecce259fcfbe70ed5f2.js
saas-aem-module
clientlibs
assets
36
fonts
clientlib-base.min.ACSHASHeeb19a6356227ee734443fa98c6b44d8.js
clientlib-dependencies.min.ACSHASHd41d8cd98f00b204e9800998ecf8427e.css
clientlib-dependencies.min.ACSHASHd41d8cd98f00b204e9800998ecf8427e.js
etc
designs
ihcc
images
icons
sixwebv2
build
images
logos
scripts
sixwebv2.min.ACSHASHa17bdb4595950f0127acc7a30da421cc.js
styles.min.ACSHASH44c1dbc6fc0ef25ce984b0b388758980.css
fr
products-services
banking-services
data-ai
ai-outlook.html
services
404.html
blog.html
it
services
404.html
.htpasswd
.passwd
account
account.asp
account.aspx
account.jsp
37
account.php
admin.htm
admin.html
admin.php
ajax.php
api.aspx
api.jsp
api.php
bigdump.php
cache
cache.asp
cache.aspx
cache.jsp
cache.php
callback
callback.asp
callback.aspx
callback.jsp
callback.php
config.php
configuration.php
cp
cp.asp
cp.aspx
cp.jsp
cp.php
customers
customers.asp
customers.aspx
customers.csv
customers.jsp
customers.php
database
38
database.asp
database.aspx
database.csv
database.jsp
database.php
databases.yml
db.csv
debug.php
download
download.asp
download.aspx
download.jsp
download.php
export
export.asp
export.aspx
export.jsp
export.php
file_manager
file_manager.asp
file_manager.aspx
file_manager.jsp
file_manager.php
file_upload
file_upload.asp
file_upload.aspx
file_upload.jsp
file_upload.php
files
files.asp
files.aspx
files.jsp
files.php
39
fileupload
fileupload.asp
fileupload.aspx
fileupload.jsp
fileupload.php
footer
footer.asp
footer.aspx
footer.jsp
footer.php
forgot
forgot.asp
forgot.aspx
forgot.jsp
forgot.php
functions
functions.asp
functions.aspx
functions.jsp
functions.php
global.asa.bak
global.asa.old
global.asa.orig
global.asa.temp
global.asa.tmp
header
header.asp
header.aspx
header.jsp
header.php
home
home.asp
home.aspx
40
home.jsp
home.php
htaccess.bak
id_dsa
index
index.asp
index.aspx
index.jsp
index.php
info
info.asp
info.aspx
info.jsp
install
install.asp
install.aspx
install.jsp
install.php
join
join.asp
join.aspx
join.jsp
join.php
log
log.asp
log.aspx
log.jsp
log.php
login
login.asp
login.aspx
login.jsp
login.php
41

Comprehensive New WWW Six Group Com

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comprehensive New WWW Six Group Com

Uploaded by

Copyright:

Available Formats

Comprehensive Report

Acunetix Threat Level 3

High discovered by the scanner. A malicious user can exploit these

Severity Vulnerabilities Instances

High 1 Certificate is Signed Using a Weak Signature Algorithm

Medium 1 SSL Certificate Name Hostname Mismatch

Low 1 Clickjacking: CSP frame-ancestors missing

Informational 5 Content Security Policy Misconfiguration

Informational 1 Generic Email Address Disclosure

Informational 1 HTTP Strict Transport Security (HSTS) Errors and Warnings

Informational 1 Subresource Integrity (SRI) Not Implemented

Subject: C=CH,O=SwissSign AG,CN=SwissSign Gold CA - G2

Issuer: C=CH,O=SwissSign AG,CN=SwissSign Gold CA - G2

Public Key Algorithm: rsaEncryption

Hash Algorithm: sha1

Certificate: -----BEGIN CERTIFICATE-----

OWASP - Insecure Configuration Management

SHA1 Deprecation - What You Need to Know

Why Google is Hurrying the Web to Kill SHA-1

MD5 Considered Harmful Today - Creating a Rogue CA Certificate

SSL Certificate Name Hostname Mismatch

Warning error messages displayed by browsers when visiting the site

Subject: C=CH,ST=ZH,L=Zurich,O=SIX Group Services AG,CN=www.six-securities-services.com

Issuer: C=CH,O=SwissSign AG,CN=SwissSign RSA TLS OV ICA 2021 - 1

Public Key Algorithm: rsaEncryption

Hash Algorithm: sha256

Certificate: -----BEGIN CERTIFICATE-----

Clickjacking: CSP frame-ancestors missing

The X-Frame-Options response header

Content Security Policy Misconfiguration

An Unsafe Content Security Policy (CSP) Directive in Use

default-src Used in Content Security Policy (CSP)

Wildcard Detected in Domain Portion of Content Security Policy (CSP) Directive

data: Used in a Content Security Policy (CSP) Directive

Scheme URI Detected in Content Security Policy (CSP) Directive

Using Content Security Policy (CSP) to Secure Web Applications

The dangers of incorrect CSP implementations

Leverage Browser Security Features to Secure Your Website

HTTP Strict Transport Security (HSTS) Errors and

https://www.six-group.com/errorpages/assets/fonts/fontawesome/ - No includeSubDomains directive

Subresource Integrity (SRI) Not Implemented

SRI Hash Generator

You might also like