Application scan kompass_therapiebegleiter_de___2012_jun_29
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Application scan kompass_therapiebegleiter_de___2012_jun_29

on

  • 160 views

 

Statistics

Views

Total Views
160
Views on SlideShare
160
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Application scan kompass_therapiebegleiter_de___2012_jun_29 Presentation Transcript

  • 1. Qualys, Inc 1600 Bridge Parkway Redwood Shores, CA 94065 (650) 801 6100Scan Results ReportData Information SettingsType: WAS Scan Result Sort Criteria Sort by descending SeverityAuthor: Daneian EasyCompany: Johnson and JohnsonGeneration date: 09 Jul 2012 09:07AM GMT-0400 The scan completed successfully in 30 minutes, and 8 seconds. Scan Information Scan SummaryTitle EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security RiskScan Type Vulnerability Authentication Status NoneLaunch Mode ScheduledStart Date 01 Jul 2012 01:00AM GMT-0400 Crawling PhaseEnd Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38Web Application kompass-therapiebegleiter.de # Links Crawled 51 LinksTarget URL # Links In Queue 0 Links http://www.kompass-therapiebegleiter.deAuthentication Record None Vulnerability Assessment PhaseOption Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24Scanner Applicance External # Requests 10,044
  • 2. Findings By Type Sensitive Content By GroupVulnerabilities by Group / LevelName Level 1 Level 2 Level 3 Level 4 Level 5 TotalXSS 0 0 0 0 0 0SQL 0 0 0 0 0 0PATH 0 0 0 0 0 0INFO 10 0 1 0 0 11
  • 3. Vulnerabilities by OWASP Top WASC Threats Code # Vulns A-1 0 A-2 0 A-3 0 A-4 0 A-5 0 A-6 1 A-7 0 A-8 0 A-9 0 A-10 0 ResultsQID: 150085 / Information DisclosureSlow HTTP POST vulnerabilityURL: https://www.kompass-therapiebegleiter.de/contactusCWE IDs:OWASP References: A6: Security MisconfigurationWASC References:Vulnerable Parameter:Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent connections More information can be found at the in this presentation.Impact: All other services remain intact but the web server itself becomes completely inaccessible.Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Easy to use tool for intrusive testing is available here.ResultsAuthenticated: -Form Entry Point: -Payload : N/A
  • 4. Result : Vulnerable to slow HTTP POST attack Server resets timeout after accepting request data from peer.QID: 6 / Information GatheredDNS Host NameCWE IDs:OWASP References:WASC References:Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.Impact:Solution:ResultsIP address Host name77.246.41.39 No registered hostnameQID: 45038 / Information GatheredHost Scan TimeCWE IDs:OWASP References:WASC References:Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the services Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.Impact: N/ASolution: N/AResults
  • 5. Scan duration: 1760 secondsStart time: Sun, Jul 01 2012, 05:00:17 GMTEnd time: Sun, Jul 01 2012, 05:29:37 GMTQID: 82040 / Information GatheredICMP Replies ReceivedCWE IDs:OWASP References:WASC References:Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMPs principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received.Impact:Solution:ResultsICMP Reply Type Triggered By Additional InformationEcho (type=0 code=0) Echo Request Echo ReplyQID: 150009 / Information GatheredLinks CrawledCWE IDs:OWASP References:WASC References:
  • 6. Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user.Impact: N/ASolution: N/AResults
  • 7. Duration of crawl phase (seconds): 158.00Number of links: 51(This number excludes form requests and links re-requested during authentication.)http://www.kompass-therapiebegleiter.de/http://www.kompass-therapiebegleiter.de/adherencehttp://www.kompass-therapiebegleiter.de/basic_infohttp://www.kompass-therapiebegleiter.de/contactushttp://www.kompass-therapiebegleiter.de/datenschutz-glossarhttp://www.kompass-therapiebegleiter.de/impressumhttp://www.kompass-therapiebegleiter.de/index.phphttp://www.kompass-therapiebegleiter.de/legal_noticehttp://www.kompass-therapiebegleiter.de/misc/favicon.icohttp://www.kompass-therapiebegleiter.de/privacy_policyhttp://www.kompass-therapiebegleiter.de/psychoedukationhttp://www.kompass-therapiebegleiter.de/shared_decisionhttp://www.kompass-therapiebegleiter.de/sitemaphttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdfhttp://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdfhttp://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.jshttp://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.jshttp://www.kompass-therapiebegleiter.de/therapy_planninghttps://www.kompass-therapiebegleiter.de/https://www.kompass-therapiebegleiter.de/adherencehttps://www.kompass-therapiebegleiter.de/basic_infohttps://www.kompass-therapiebegleiter.de/contactushttps://www.kompass-therapiebegleiter.de/contactus/https://www.kompass-therapiebegleiter.de/contactus/confirmhttps://www.kompass-therapiebegleiter.de/datenschutz-glossarhttps://www.kompass-therapiebegleiter.de/impressumhttps://www.kompass-therapiebegleiter.de/legal_noticehttps://www.kompass-therapiebegleiter.de/misc/favicon.icohttps://www.kompass-therapiebegleiter.de/privacy_policyhttps://www.kompass-therapiebegleiter.de/psychoedukationhttps://www.kompass-therapiebegleiter.de/shared_decisionhttps://www.kompass-therapiebegleiter.de/sitemaphttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdfhttps://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdfhttps://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.jshttps://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.jshttps://www.kompass-therapiebegleiter.de/therapy_planningQID: 150010 / Information Gathered
  • 8. External Links DiscoveredCWE IDs:OWASP References:WASC References:Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.Impact: N/ASolution: N/AResultsNumber of links: 8http://www.google-analytics.com/ga.jshttp://www.adobe.com/de/products/reader/http://www.janssen-cilag.de/?product=kompasshttps://ssl.google-analytics.com/ga.jsmailto:%5bno%20address%20given%5dmailto:datenschutz.jacde@jacde.jnj.commailto:jancil@its.jnj.comhttp://tools.google.com/dlpage/gaoptout?hl=deQID: 150021 / Information GatheredScan DiagnosticsCWE IDs:OWASP References:WASC References:Description: This check provides various details of the scans performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.Impact: The scan diagnostics data provides technical details about the crawlers performance and behavior. This information does not necessarily imply problems with the Web application.Solution: No action is required.Results
  • 9. Loaded 0 blacklist entries.Loaded 0 whitelist entries.HTML form authentication unavailable, no WEBAPP entry foundCollected 57 links overall.Path manipulation: estimated time < 1 minute (101 tests, 75 inputs)Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed.WS enumeration: estimated time < 1 minute (9 tests, 69 inputs)WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed.Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs)Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs)Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed.Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs)Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs)Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed.Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs)Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute.HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs)HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs)Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs)Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). Alltests completed.Header manipulation: estimated time < 1 minute (36 tests, 32 inputs)Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All testscompleted.Total requests made: 10044Average server response time: 0.55 secondsMost recent links:200 https://www.kompass-therapiebegleiter.de/therapy_planning200 https://www.kompass-therapiebegleiter.de/impressum200 https://www.kompass-therapiebegleiter.de/psychoedukation200 https://www.kompass-therapiebegleiter.de/privacy_policy200 https://www.kompass-therapiebegleiter.de/basic_info200 https://www.kompass-therapiebegleiter.de/contactus/confirm200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js200 https://www.kompass-therapiebegleiter.de/contactus/200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.jsQID: 150028 / Information GatheredCookies CollectedCWE IDs:OWASP References:WASC References:Description: The cookies listed in the Results section were received from the web application during the crawl phase.Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
  • 10. ResultsTotal cookies: 10InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.deSESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999908; httponlySESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de__utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964__utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764__utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de__utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=15767964current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.dehas_js=1; path=/; domain=www.kompass-therapiebegleiter.deQID: 150054 / Information GatheredEmail Addresses CollectedCWE IDs:OWASP References:WASC References:Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.Impact: Email addresses may help a malicious user with brute force and phishing attacks.Solution: Review the email list to see if they are all email addresses you want to expose.ResultsNumber of emails: 2datenschutz.jacde@jacde.jnj.comjancil@its.jnj.comQID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/basic_infoCWE IDs:OWASP References:WASC References:Vulnerable Parameter:
  • 11. Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/therapy_planningCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/sitemapCWE IDs:OWASP References:WASC References:
  • 12. Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/shared_decisionCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/
  • 13. CWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/privacy_policyCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information Disclosure
  • 14. Possible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/impressumCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/legal_noticeCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.
  • 15. QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/psychoedukationCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150081 / Information DisclosurePossible Clickjacking VulnerabilityURL: http://www.kompass-therapiebegleiter.de/adherenceCWE IDs:OWASP References:WASC References:Vulnerable Parameter:Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.Impact: Attacks like CSRF can be performed using Clickjacking techniques.Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.ResultsAuthenticated: -Form Entry Point: -
  • 16. Payload : N/AResult : The response for this request did not have an "X-FRAME-OPTIONS" header present.QID: 150099 / Information GatheredCookies Issued Without User ConsentCWE IDs:OWASP References:WASC References:Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs.Impact: Cookies may be set without user explicitly agreeing to accept them.Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization.ResultsTotal cookies: 6SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999;httponly__utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999__utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de__utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=15767999has_js=1; path=/; domain=www.kompass-therapiebegleiter.de Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM CrawlingForm Submission: POST & GETMaximum Link to Crawl: 500Performance: LOW Sensitive ContentCredit Card Numbers: NoSocial Security Numbers: NoCustom: noCustom Checks:
  • 17. DetectionOption: COMPLETE Password BruteforcingOption: MINIMALNumber of Attempts: -CONFIDENTIAL AND PROPRIETARY INFORMATION.Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.