The scan found 11 vulnerabilities on the site kompass-therapiebegleiter.de, including one information disclosure vulnerability related to a slow HTTP POST attack. The scan was completed in 30 minutes and 8 seconds, crawling 51 links over a period of 158 seconds. The host scan time was 1760 seconds.
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
Build powerful mobile applications using AWS Mobile Services. For the first time, we will discuss how mobile developers can leverage the new cross-platform AWS Mobile Services that we announced today. How they can authenticate and authorize their users using Amazon Cognito, user identity and data synchronization service. We will discuss how Amazon Mobile Analytics service collects, visualizes and understand your mobile app usage at scale, All this is available as a single unified and mobile-optimized easy-to-use SDK so developers can access these new services (and other services like S3, DynamoDB) with just a few lines of code on the client and without the need of owning backend servers. - http://aws.amazon.com/mobile
As more and more people are coming to realize, there is far more to living a truly successful life than just earning a bigger salary and capturing a corner office. Our relentless pursuit of the two traditional metrics of success - money and power - has led to an epidemic of burnout and stress-related illnesses, and an erosion in the quality of our relationships, family life, and, ironically, our careers. In being connected to the world 24/7, we're losing our connection to what truly matters.
Drawing on the latest groundbreaking research and scientific findings in the fields of psychology, sports, sleep, and physiology that show the profound and transformative effects of meditation, mindfulness, unplugging, and giving, I show us the way to a revolution in our culture, our thinking, our workplace, and our lives.
This presentation is a visual excerpt of my book, Thrive. To read more, go to: http://thrive.huffingtonpost.com/
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
This document contains 20 photos from news events around the world between January and November 2016. The photos show international events like the US presidential election, the conflict in Ukraine, the migrant crisis in Europe, the Rio Olympics, and more. They also depict human interest stories and natural phenomena from various countries.
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
If your B2B blogging goals include earning social media shares and backlinks to boost your search rankings, this infographic lists the size best approaches.
1) The document discusses the opportunity for technology to improve organizational efficiency and transition economies into a "smart and clean world."
2) It argues that aggregate efficiency has stalled at around 22% for 30 years due to limitations of the Second Industrial Revolution, but that digitizing transport, energy, and communication through technologies like blockchain can help manage resources and increase efficiency.
3) Technologies like precision agriculture, cloud computing, robotics, and autonomous vehicles may allow for "dematerialization" and do more with fewer physical resources through effects like reduced waste and need for transportation/logistics infrastructure.
The document discusses SSL Labs, a free online service that analyzes the implementation of the SSL/TLS protocols on websites. It performs an audit checking for vulnerabilities and issues, and provides a report on the server's SSL configuration including the protocols and ciphers supported, certificate validation, and an overall score. The majority of servers are found to not be well configured for security, with only 31.24% receiving the top score of A.
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
Here are some examples of how to test for authentication vulnerabilities:
- Try logging in with default credentials, common credentials or by enumerating users (OWASP-AT-002, OWASP-AT-003)
- Attempt to bypass authentication by modifying cookies, tokens or other parameters used to maintain session state (OWASP-AT-005)
- See if strong passwords are enforced or if weak, common or default passwords can be guessed (OWASP-AT-003, OWASP-AT-004)
- Verify credentials are transmitted only over an encrypted channel and sensitive data is not exposed (OWASP-AT-001)
- Test if password reset and "remember me" functions are secure
This document discusses the relationship between the PCI-DSS security standard and the OWASP Foundation. It provides an overview of OWASP, including its mission to produce open source tools, standards, and documentation related to web application security. The document then focuses on how the OWASP Testing Guide can help organizations comply with the PCI-DSS standard by providing a framework for testing the security of web applications and examples of specific tests that can be performed.
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
Build powerful mobile applications using AWS Mobile Services. For the first time, we will discuss how mobile developers can leverage the new cross-platform AWS Mobile Services that we announced today. How they can authenticate and authorize their users using Amazon Cognito, user identity and data synchronization service. We will discuss how Amazon Mobile Analytics service collects, visualizes and understand your mobile app usage at scale, All this is available as a single unified and mobile-optimized easy-to-use SDK so developers can access these new services (and other services like S3, DynamoDB) with just a few lines of code on the client and without the need of owning backend servers. - http://aws.amazon.com/mobile
As more and more people are coming to realize, there is far more to living a truly successful life than just earning a bigger salary and capturing a corner office. Our relentless pursuit of the two traditional metrics of success - money and power - has led to an epidemic of burnout and stress-related illnesses, and an erosion in the quality of our relationships, family life, and, ironically, our careers. In being connected to the world 24/7, we're losing our connection to what truly matters.
Drawing on the latest groundbreaking research and scientific findings in the fields of psychology, sports, sleep, and physiology that show the profound and transformative effects of meditation, mindfulness, unplugging, and giving, I show us the way to a revolution in our culture, our thinking, our workplace, and our lives.
This presentation is a visual excerpt of my book, Thrive. To read more, go to: http://thrive.huffingtonpost.com/
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
This document contains 20 photos from news events around the world between January and November 2016. The photos show international events like the US presidential election, the conflict in Ukraine, the migrant crisis in Europe, the Rio Olympics, and more. They also depict human interest stories and natural phenomena from various countries.
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
If your B2B blogging goals include earning social media shares and backlinks to boost your search rankings, this infographic lists the size best approaches.
1) The document discusses the opportunity for technology to improve organizational efficiency and transition economies into a "smart and clean world."
2) It argues that aggregate efficiency has stalled at around 22% for 30 years due to limitations of the Second Industrial Revolution, but that digitizing transport, energy, and communication through technologies like blockchain can help manage resources and increase efficiency.
3) Technologies like precision agriculture, cloud computing, robotics, and autonomous vehicles may allow for "dematerialization" and do more with fewer physical resources through effects like reduced waste and need for transportation/logistics infrastructure.
The document discusses SSL Labs, a free online service that analyzes the implementation of the SSL/TLS protocols on websites. It performs an audit checking for vulnerabilities and issues, and provides a report on the server's SSL configuration including the protocols and ciphers supported, certificate validation, and an overall score. The majority of servers are found to not be well configured for security, with only 31.24% receiving the top score of A.
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
Here are some examples of how to test for authentication vulnerabilities:
- Try logging in with default credentials, common credentials or by enumerating users (OWASP-AT-002, OWASP-AT-003)
- Attempt to bypass authentication by modifying cookies, tokens or other parameters used to maintain session state (OWASP-AT-005)
- See if strong passwords are enforced or if weak, common or default passwords can be guessed (OWASP-AT-003, OWASP-AT-004)
- Verify credentials are transmitted only over an encrypted channel and sensitive data is not exposed (OWASP-AT-001)
- Test if password reset and "remember me" functions are secure
This document discusses the relationship between the PCI-DSS security standard and the OWASP Foundation. It provides an overview of OWASP, including its mission to produce open source tools, standards, and documentation related to web application security. The document then focuses on how the OWASP Testing Guide can help organizations comply with the PCI-DSS standard by providing a framework for testing the security of web applications and examples of specific tests that can be performed.
This document summarizes a case study where the author performed a security assessment of Android software used in a home health care company. The assessment found issues with authentication, authorization, encryption of data at rest and in transit, and lack of transport layer protection. The vendor was notified of the findings and planned to address them by implementing unique setup codes and SSL, though the current version still lacked SSL. The study demonstrated the importance of independently assessing mobile healthcare apps for security issues.
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
How Can PVS-Studio Help in the Detection of Vulnerabilities?PVS-Studio
This document discusses how the static code analyzer PVS-Studio can help detect vulnerabilities. It begins by providing background on PVS-Studio and how it detects bugs and weaknesses (CWEs) that can lead to vulnerabilities. The document then matches specific PVS-Studio diagnostic rules to CWE categories. It presents examples of real vulnerabilities that could have been detected by PVS-Studio in various open source projects, including illumos-gate, Network Audio System, Ytnef, and MySQL. The vulnerabilities discussed include buffer overflows, format string issues, and null pointer dereferences. The document demonstrates how PVS-Studio could help find and prevent security vulnerabilities during development.
This document discusses vulnerabilities in application frameworks and the importance of monitoring for vulnerabilities in third party libraries and components. It uses the Equifax breach as an example of how vulnerabilities in the Apache Struts framework were exploited to gain access and steal personal data. The document recommends that software developers and IT security teams regularly check all application components for known vulnerabilities and ensure components and libraries are kept up to date with the latest security patches. It also emphasizes the importance of detection mechanisms to identify suspicious activity resulting from exploited vulnerabilities.
This document summarizes a vulnerability handling process. It describes classifying vulnerabilities using identifiers like CVE and CVSS. It outlines steps to receive reports, verify issues, remediate problems by fixing or mitigating, then publishing information. The process emphasizes communicating with reporters, updating customers, and retrospective learning to improve processes.
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKTsuyoshi Horigome
SPICE MODEL of TPC6107 (Standard+BDS) in SPICE PARK. English Version is http://www.spicepark.net. Japanese Version is http://www.spicepark.com by Bee Technologies.
This document summarizes a presentation by Damilola Longe from the OWASP Foundation about web application defenses. It discusses the prevalence of applications in people's lives and security issues developers need to be aware of. It covers the OWASP Top 10 security risks like cross-site scripting and input validation. It provides examples of how to implement defenses against these risks using output encoding, sanitization libraries, and content security policy.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list. It includes more practical examples and contributions from the OWASP community and non-OWASP community. It also includes some best practices to consider when building mobile apps, such as secure storage, authentication, etc. The document then lists 10 proactive controls, including verifying for security early and often, parameterizing queries, encoding data, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The document discusses validating all inputs to prevent cross-site scripting (XSS) attacks. It introduces the OWASP HTML Sanitizer Project, which is a Java library that sanitizes HTML to allow untrusted user input to be safely embedded in web pages. The sanitizer removes malicious code while keeping desired markup, through a policy-based approach. Sample usages demonstrated validate specific elements like images and links. The project aims to protect against XSS while allowing third-party content through a tested, securely-designed library.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list, provides more practical examples and case studies, and has contributions from a large number of non-OWASP community members, while also including some best practices for building secure mobile applications. It outlines 10 proactive controls for application security including verifying for security early and often, parameterizing queries, encoding data before use in a parser, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
The document provides an overview of OWASP projects and resources that can be used today. It describes several key OWASP tools and projects including the OWASP Top 10, Code Review Guide, Testing Guide, Cheat Sheet Series, AppSec Tutorials, Application Security Verification Standard (ASVS), and LiveCD/WTE. These free and open resources help developers, testers and organizations build more secure software.
The OWASP Top Ten Proactive Controls 2.0 document introduces new proactive controls to the Top Ten list and provides more practical examples and contributions from the community. It includes some best practices for building secure mobile apps. The document then describes 10 proactive controls addressing common vulnerabilities like injection, XSS, access control issues etc. It provides details on each control with examples and references.
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKTsuyoshi Horigome
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK. English Version is http://www.spicepark.net. Japanese Version is http://www.spicepark.com by Bee Technologies.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Secure your APIs with WAF in AWS
Kuldeep Pisda, Backend Developer at Goldcast
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
Today’s web applications are becoming increasingly difficult to secure. AWS WAF helps to protect web applications from attack by blocking common web exploits like SQL injection and cross-site scripting. This session will introduce AWS WAF, how it integrates with other AWS services and how to use it to help protect your web applications. We will also demo how to deploy preconfigured rules and security automation on AWS WAF.
Learning Objectives:
• Understand the basics of AWS WAF
• Learn about AWS WAF’s ease of use and fast incident response
• Learn how to deploy preconfigured rules and security automation
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
Cross Site Request Forgery (CSRF) is a type of attack that forces a logged-in user's browser to send a forged HTTP request to a vulnerable web application, including the user's session cookie and any other authentication information. The document discusses CSRF attacks, provides detection and protection techniques, and notes that CSRF is listed as the fifth most critical vulnerability in the OWASP Top 10 list. Protection techniques discussed include using tokens or nonces, checking the HTTP referrer, using double submit cookies, and implementing challenge-response authentication.
MMIX Peering Forum: Securing Internet RoutingAPNIC
APNIC Senior Network Analyst Tashi Phuntsho presents on how to secure Internet routing at the Myanmar Internet Exchange (MMIX) Peering Forum 2019 in Yangon, Myanmar from 3 to 5 May 2019.
This document summarizes a case study where the author performed a security assessment of Android software used in a home health care company. The assessment found issues with authentication, authorization, encryption of data at rest and in transit, and lack of transport layer protection. The vendor was notified of the findings and planned to address them by implementing unique setup codes and SSL, though the current version still lacked SSL. The study demonstrated the importance of independently assessing mobile healthcare apps for security issues.
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
The OWASP Top 10 is a powerful awareness document for web application security, the latest version was released in 2017. It represents industry standards weaknesses that are the most critical ones in terms of their security risk.
In this talk we go into details of all its items, matching them with vulnerability types from the CWE (Common Weakness Enumeration) category system.
To understand the most common security issues and their consequences, one of the best ways is to learn about prevention.
Most of them can be remediated at a low cost if they are discovered during the development phase - in this session we're going to check Java, C, PHP, Perl and other programming languages in order to raise awareness for secure software development.
How Can PVS-Studio Help in the Detection of Vulnerabilities?PVS-Studio
This document discusses how the static code analyzer PVS-Studio can help detect vulnerabilities. It begins by providing background on PVS-Studio and how it detects bugs and weaknesses (CWEs) that can lead to vulnerabilities. The document then matches specific PVS-Studio diagnostic rules to CWE categories. It presents examples of real vulnerabilities that could have been detected by PVS-Studio in various open source projects, including illumos-gate, Network Audio System, Ytnef, and MySQL. The vulnerabilities discussed include buffer overflows, format string issues, and null pointer dereferences. The document demonstrates how PVS-Studio could help find and prevent security vulnerabilities during development.
This document discusses vulnerabilities in application frameworks and the importance of monitoring for vulnerabilities in third party libraries and components. It uses the Equifax breach as an example of how vulnerabilities in the Apache Struts framework were exploited to gain access and steal personal data. The document recommends that software developers and IT security teams regularly check all application components for known vulnerabilities and ensure components and libraries are kept up to date with the latest security patches. It also emphasizes the importance of detection mechanisms to identify suspicious activity resulting from exploited vulnerabilities.
This document summarizes a vulnerability handling process. It describes classifying vulnerabilities using identifiers like CVE and CVSS. It outlines steps to receive reports, verify issues, remediate problems by fixing or mitigating, then publishing information. The process emphasizes communicating with reporters, updating customers, and retrospective learning to improve processes.
SPICE MODEL of TPC6107 (Standard+BDS Model) in SPICE PARKTsuyoshi Horigome
SPICE MODEL of TPC6107 (Standard+BDS) in SPICE PARK. English Version is http://www.spicepark.net. Japanese Version is http://www.spicepark.com by Bee Technologies.
This document summarizes a presentation by Damilola Longe from the OWASP Foundation about web application defenses. It discusses the prevalence of applications in people's lives and security issues developers need to be aware of. It covers the OWASP Top 10 security risks like cross-site scripting and input validation. It provides examples of how to implement defenses against these risks using output encoding, sanitization libraries, and content security policy.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list. It includes more practical examples and contributions from the OWASP community and non-OWASP community. It also includes some best practices to consider when building mobile apps, such as secure storage, authentication, etc. The document then lists 10 proactive controls, including verifying for security early and often, parameterizing queries, encoding data, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The document discusses validating all inputs to prevent cross-site scripting (XSS) attacks. It introduces the OWASP HTML Sanitizer Project, which is a Java library that sanitizes HTML to allow untrusted user input to be safely embedded in web pages. The sanitizer removes malicious code while keeping desired markup, through a policy-based approach. Sample usages demonstrated validate specific elements like images and links. The project aims to protect against XSS while allowing third-party content through a tested, securely-designed library.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list, provides more practical examples and case studies, and has contributions from a large number of non-OWASP community members, while also including some best practices for building secure mobile applications. It outlines 10 proactive controls for application security including verifying for security early and often, parameterizing queries, encoding data before use in a parser, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
The document provides an overview of OWASP projects and resources that can be used today. It describes several key OWASP tools and projects including the OWASP Top 10, Code Review Guide, Testing Guide, Cheat Sheet Series, AppSec Tutorials, Application Security Verification Standard (ASVS), and LiveCD/WTE. These free and open resources help developers, testers and organizations build more secure software.
The OWASP Top Ten Proactive Controls 2.0 document introduces new proactive controls to the Top Ten list and provides more practical examples and contributions from the community. It includes some best practices for building secure mobile apps. The document then describes 10 proactive controls addressing common vulnerabilities like injection, XSS, access control issues etc. It provides details on each control with examples and references.
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARKTsuyoshi Horigome
SPICE MODEL of TPC6107 (Professional+BDP Model) in SPICE PARK. English Version is http://www.spicepark.net. Japanese Version is http://www.spicepark.com by Bee Technologies.
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Secure your APIs with WAF in AWS
Kuldeep Pisda, Backend Developer at Goldcast
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
Today’s web applications are becoming increasingly difficult to secure. AWS WAF helps to protect web applications from attack by blocking common web exploits like SQL injection and cross-site scripting. This session will introduce AWS WAF, how it integrates with other AWS services and how to use it to help protect your web applications. We will also demo how to deploy preconfigured rules and security automation on AWS WAF.
Learning Objectives:
• Understand the basics of AWS WAF
• Learn about AWS WAF’s ease of use and fast incident response
• Learn how to deploy preconfigured rules and security automation
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
Cross Site Request Forgery (CSRF) is a type of attack that forces a logged-in user's browser to send a forged HTTP request to a vulnerable web application, including the user's session cookie and any other authentication information. The document discusses CSRF attacks, provides detection and protection techniques, and notes that CSRF is listed as the fifth most critical vulnerability in the OWASP Top 10 list. Protection techniques discussed include using tokens or nonces, checking the HTTP referrer, using double submit cookies, and implementing challenge-response authentication.
MMIX Peering Forum: Securing Internet RoutingAPNIC
APNIC Senior Network Analyst Tashi Phuntsho presents on how to secure Internet routing at the Myanmar Internet Exchange (MMIX) Peering Forum 2019 in Yangon, Myanmar from 3 to 5 May 2019.
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...TechSoup
Whether you're new to SEO or looking to refine your existing strategies, this webinar will provide you with actionable insights and practical tips to elevate your nonprofit's online presence.
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxOH TEIK BIN
(A Free eBook comprising 3 Sets of Presentation of a selection of Puzzles, Brain Teasers and Thinking Problems to exercise both the mind and the Right and Left Brain. To help keep the mind and brain fit and healthy. Good for both the young and old alike.
Answers are given for all the puzzles and problems.)
With Metta,
Bro. Oh Teik Bin 🙏🤓🤔🥰
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
How Barcodes Can Be Leveraged Within Odoo 17Celine George
In this presentation, we will explore how barcodes can be leveraged within Odoo 17 to streamline our manufacturing processes. We will cover the configuration steps, how to utilize barcodes in different manufacturing scenarios, and the overall benefits of implementing this technology.
This presentation was provided by Racquel Jemison, Ph.D., Christina MacLaughlin, Ph.D., and Paulomi Majumder. Ph.D., all of the American Chemical Society, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
1. Qualys, Inc
1600 Bridge Parkway
Redwood Shores, CA 94065
(650) 801 6100
Scan Results Report
Data Information Settings
Type: WAS Scan Result Sort Criteria Sort by descending Severity
Author: Daneian Easy
Company: Johnson and Johnson
Generation date: 09 Jul 2012 09:07AM GMT-0400
The scan completed successfully in 30 minutes, and 8 seconds.
Scan Information Scan Summary
Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk
Scan Type Vulnerability Authentication Status None
Launch Mode Scheduled
Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase
End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38
Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links
Target URL # Links In Queue 0 Links
http://www.kompass-therapiebegleiter.de
Authentication Record None Vulnerability Assessment Phase
Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24
Scanner Applicance External # Requests 10,044
2. Findings By Type Sensitive Content By Group
Vulnerabilities by Group / Level
Name Level 1 Level 2 Level 3 Level 4 Level 5 Total
XSS 0 0 0 0 0 0
SQL 0 0 0 0 0 0
PATH 0 0 0 0 0 0
INFO 10 0 1 0 0 11
3. Vulnerabilities by OWASP Top WASC Threats
Code # Vulns
A-1 0
A-2 0
A-3 0
A-4 0
A-5 0
A-6 1
A-7 0
A-8 0
A-9 0
A-10 0
Results
QID: 150085 / Information Disclosure
Slow HTTP POST vulnerability
URL: https://www.kompass-therapiebegleiter.de/contactus
CWE IDs:
OWASP References: A6: Security Misconfiguration
WASC References:
Vulnerable Parameter:
Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open
by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP
POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent
connections More information can be found at the in this presentation.
Impact: All other services remain intact but the web server itself becomes completely inaccessible.
Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request
timeout for connection with POST request Easy to use tool for intrusive testing is available here.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
4. Result : Vulnerable to slow HTTP POST attack
Server resets timeout after accepting request data from peer.
QID: 6 / Information Gathered
DNS Host Name
CWE IDs:
OWASP References:
WASC References:
Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Impact:
Solution:
Results
IP address Host name
77.246.41.39 No registered hostname
QID: 45038 / Information Gathered
Host Scan Time
CWE IDs:
OWASP References:
WASC References:
Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a
scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer
the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
Impact: N/A
Solution: N/A
Results
5. Scan duration: 1760 seconds
Start time: Sun, Jul 01 2012, 05:00:17 GMT
End time: Sun, Jul 01 2012, 05:29:37 GMT
QID: 82040 / Information Gathered
ICMP Replies Received
CWE IDs:
OWASP References:
WASC References:
Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and
accessibility of other gateways or hosts.
We have sent the following types of packets to trigger the host to send us ICMP replies:
Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply)
Address Mask Request (to trigger Address Mask Reply)
UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)
Listed in the "Result" section are the ICMP replies that we have received.
Impact:
Solution:
Results
ICMP Reply Type Triggered By Additional Information
Echo (type=0 code=0) Echo Request Echo Reply
QID: 150009 / Information Gathered
Links Crawled
CWE IDs:
OWASP References:
WASC References:
6. Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl
includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user.
Impact: N/A
Solution: N/A
Results
7. Duration of crawl phase (seconds): 158.00
Number of links: 51
(This number excludes form requests and links re-requested during authentication.)
http://www.kompass-therapiebegleiter.de/
http://www.kompass-therapiebegleiter.de/adherence
http://www.kompass-therapiebegleiter.de/basic_info
http://www.kompass-therapiebegleiter.de/contactus
http://www.kompass-therapiebegleiter.de/datenschutz-glossar
http://www.kompass-therapiebegleiter.de/impressum
http://www.kompass-therapiebegleiter.de/index.php
http://www.kompass-therapiebegleiter.de/legal_notice
http://www.kompass-therapiebegleiter.de/misc/favicon.ico
http://www.kompass-therapiebegleiter.de/privacy_policy
http://www.kompass-therapiebegleiter.de/psychoedukation
http://www.kompass-therapiebegleiter.de/shared_decision
http://www.kompass-therapiebegleiter.de/sitemap
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf
http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf
http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
http://www.kompass-therapiebegleiter.de/therapy_planning
https://www.kompass-therapiebegleiter.de/
https://www.kompass-therapiebegleiter.de/adherence
https://www.kompass-therapiebegleiter.de/basic_info
https://www.kompass-therapiebegleiter.de/contactus
https://www.kompass-therapiebegleiter.de/contactus/
https://www.kompass-therapiebegleiter.de/contactus/confirm
https://www.kompass-therapiebegleiter.de/datenschutz-glossar
https://www.kompass-therapiebegleiter.de/impressum
https://www.kompass-therapiebegleiter.de/legal_notice
https://www.kompass-therapiebegleiter.de/misc/favicon.ico
https://www.kompass-therapiebegleiter.de/privacy_policy
https://www.kompass-therapiebegleiter.de/psychoedukation
https://www.kompass-therapiebegleiter.de/shared_decision
https://www.kompass-therapiebegleiter.de/sitemap
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf
https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf
https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
https://www.kompass-therapiebegleiter.de/therapy_planning
QID: 150010 / Information Gathered
8. External Links Discovered
CWE IDs:
OWASP References:
WASC References:
Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.
Impact: N/A
Solution: N/A
Results
Number of links: 8
http://www.google-analytics.com/ga.js
http://www.adobe.com/de/products/reader/
http://www.janssen-cilag.de/?product=kompass
https://ssl.google-analytics.com/ga.js
mailto:%5bno%20address%20given%5d
mailto:datenschutz.jacde@jacde.jnj.com
mailto:jancil@its.jnj.com
http://tools.google.com/dlpage/gaoptout?hl=de
QID: 150021 / Information Gathered
Scan Diagnostics
CWE IDs:
OWASP References:
WASC References:
Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.
Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.
Solution: No action is required.
Results
9. Loaded 0 blacklist entries.
Loaded 0 whitelist entries.
HTML form authentication unavailable, no WEBAPP entry found
Collected 57 links overall.
Path manipulation: estimated time < 1 minute (101 tests, 75 inputs)
Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed.
WS enumeration: estimated time < 1 minute (9 tests, 69 inputs)
WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed.
Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs)
Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs)
Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed.
Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs)
Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs)
Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed.
Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs)
Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute.
HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs)
HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs)
Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute.
Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs)
Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All
tests completed.
Header manipulation: estimated time < 1 minute (36 tests, 32 inputs)
Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests
completed.
Total requests made: 10044
Average server response time: 0.55 seconds
Most recent links:
200 https://www.kompass-therapiebegleiter.de/therapy_planning
200 https://www.kompass-therapiebegleiter.de/impressum
200 https://www.kompass-therapiebegleiter.de/psychoedukation
200 https://www.kompass-therapiebegleiter.de/privacy_policy
200 https://www.kompass-therapiebegleiter.de/basic_info
200 https://www.kompass-therapiebegleiter.de/contactus/confirm
200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar
200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js
200 https://www.kompass-therapiebegleiter.de/contactus/
200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js
QID: 150028 / Information Gathered
Cookies Collected
CWE IDs:
OWASP References:
WASC References:
Description: The cookies listed in the Results section were received from the web application during the crawl phase.
Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.
Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
10. Results
Total cookies: 10
InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de
SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=1999908; httponly
SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de
__utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964
__utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764
__utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de
__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de
__utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=15767964
current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de
has_js=1; path=/; domain=www.kompass-therapiebegleiter.de
QID: 150054 / Information Gathered
Email Addresses Collected
CWE IDs:
OWASP References:
WASC References:
Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.
Impact: Email addresses may help a malicious user with brute force and phishing attacks.
Solution: Review the email list to see if they are all email addresses you want to expose.
Results
Number of emails: 2
datenschutz.jacde@jacde.jnj.com
jancil@its.jnj.com
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/basic_info
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
11. Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/therapy_planning
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/sitemap
CWE IDs:
OWASP References:
WASC References:
12. Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/shared_decision
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/
13. CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/privacy_policy
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
14. Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/impressum
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/legal_notice
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
15. QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/psychoedukation
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability
URL: http://www.kompass-therapiebegleiter.de/adherence
CWE IDs:
OWASP References:
WASC References:
Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
Impact: Attacks like CSRF can be performed using Clickjacking techniques.
Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the
malicious user from framing the page.
Results
Authenticated: -
Form Entry Point: -
16. Payload : N/A
Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150099 / Information Gathered
Cookies Issued Without User Consent
CWE IDs:
OWASP References:
WASC References:
Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs.
Impact: Cookies may be set without user explicitly agreeing to accept them.
Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have
been classified as exempt by your organization.
Results
Total cookies: 6
SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999;
httponly
__utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999
__utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799
__utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de
__utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-
age=15767999
has_js=1; path=/; domain=www.kompass-therapiebegleiter.de
Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM
Crawling
Form Submission: POST & GET
Maximum Link to Crawl: 500
Performance: LOW
Sensitive Content
Credit Card Numbers: No
Social Security Numbers: No
Custom: no
Custom Checks:
17. Detection
Option: COMPLETE
Password Bruteforcing
Option: MINIMAL
Number of Attempts: -
CONFIDENTIAL AND PROPRIETARY INFORMATION.
Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.