ajaylns.github.io's People
ajaylns.github.io's Issues
Web Browser XSS Protection Not Enabled
Details
- ID: a5fc6f5692ed622b015001bb62a7fa4f
- Affected Hosts:
- First seen: 2018-08-15 05:50:15
Description
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
Recommendation
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Incomplete or No Cache-control and Pragma HTTP Header Set
Details
- ID: 31d0ed53a164148bf12befd10641ccd9
- Affected Hosts:
- First seen: 2018-08-15 05:50:15
Description
The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
Recommendation
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
Finding on 2018-06-22 07:22:53
- Name: Web Browser XSS Protection Not Enabled
- ID: b8075bb54074179c133479d4b2785d47
- Affected Hosts: ['https://ajaylns.github.io/']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-22 07:22:53
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213
Finding on 018-07-05T09:01:42
Test
Finding on 2018-06-08 08:13:00
- Name: Web Browser XSS Protection Not Enabled
- ID: e402e12a36cc4e78609a3e1c12e25608
- Affected Hosts: ['http://yachts.coinonsale.com:8080']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-08 08:13:00
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/e402e12a36cc4e78609a3e1c12e25608
Finding on 2014-02-91
{'name': 'Buffer Underflow', 'description': 'Dummy Description', 'affected_hosts': '129.9.9.1', 'first_seen': '2014-02-91', 'severity': 'low', 'recommendation': 'rm -rf'}
Finding on 2018-06-22 07:22:53
- Name: Web Browser XSS Protection Not Enabled
- ID: a5fc6f5692ed622b015001bb62a7fa4f
- Affected Hosts: ['https://ajaylns.github.io/sitemap.xml']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-22 07:22:53
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/a5fc6f5692ed622b015001bb62a7fa4f
Finding on 2018-06-22 07:22:53
- Name: Web Browser XSS Protection Not Enabled
- ID: a5fc6f5692ed622b015001bb62a7fa4f
- Affected Hosts: ['https://ajaylns.github.io/sitemap.xml']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-22 07:22:53
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/a5fc6f5692ed622b015001bb62a7fa4f
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect?q=213
TCP timestamps
Details
- ID: e765ef782e08f90dd83dcd11aec70edc
- Affected Hosts: ['185.199.110.153']
- First seen: 2018-08-10 08:27:22
Description
It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 162373903
Packet 2: 143333676
Recommendation:
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
xss custom
Details
- ID: ade76d29-398c-498c-b135-67a5dd34670a
- Affected Hosts:
- 86.32.33.46
- First seen: 2019-03-20 01:00:00.759000
Description
random description
Recommendation
random recommendation
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213
xss custom
Finding on 2018-06-22 07:22:53
- Name: Web Browser XSS Protection Not Enabled
- ID: 71b8fa3f6d739b292688c93893f71303
- Affected Hosts: ['https://ajaylns.github.io/robots.txt']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-22 07:22:53
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/71b8fa3f6d739b292688c93893f71303
X-Content-Type-Options Header Missing
Details
- ID: beee7e4a229ed314de2b77563e117840
- Affected Hosts:
- First seen: 2018-08-15 05:50:15
Description
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Recommendation
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
Finding on 2018-06-04 03:26:09
- Name: X-Frame-Options Header Not Set
- ID: c2686f9b7ec6d64f03eea649030e0947
- Affected Hosts: ['http://yachts.coinonsale.com:8080/']
- Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
- First seen: 2018-06-04 03:26:09
- Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
Finding on 2018-06-22 07:22:53
- Name: X-Frame-Options Header Not Set
- ID: 317b1721948ab675d6043ef0b86bac97
- Affected Hosts: ['https://ajaylns.github.io/']
- Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
- First seen: 2018-06-22 07:22:53
- Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/317b1721948ab675d6043ef0b86bac97
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: <% id %>
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: <% link %>
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213
Buffer Underflow
Details
- ID: drere
- Affected Hosts:
- 129.9.9.1
- 8.8.8.8
- First seen: 2014-02-91
Description
Dummy Description
Recommendation:
rm -rf
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213
xss custom
xss custom
TCP timestamps
Details
- ID: e0eb2ad08f505b88d610f247663ec801
- Affected Hosts:
- 185.199.111.153
- First seen: 2018-09-28 08:34:23
Description
It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1178230214
Packet 2: 1222127495
Recommendation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
Finding on 2018-06-29 07:30:43
- Name: TCP timestamps
- ID: 7f340ecb1473f944288ab7dd9d0211c7
- Affected Hosts: ['185.199.110.153']
- Description: It was detected that the host implements RFC1323.
- First seen: 2018-06-29 07:30:43
- Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/7f340ecb1473f944288ab7dd9d0211c7
Finding on 2018-06-04 03:26:09
- Name: X-Frame-Options Header Not Set
- ID: c2686f9b7ec6d64f03eea649030e0947
- Affected Hosts: ['http://yachts.coinonsale.com:8080/']
- Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
- First seen: 2018-06-04 03:26:09
- Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: <% link %>
xss custom
Details
- ID: ade76d29-398c-498c-b135-67a5dd34670a
- Affected Hosts:
- 86.32.33.46
- First seen: 2019-03-20 01:00:00.759000
Description
random description
Recommendation
random recommendation
xss custom
Details
- ID: ade76d29-398c-498c-b135-67a5dd34670a
- Affected Hosts:
- 86.32.33.46
- First seen: <% first_seen %>
Description
random description
Recommendation
random recommendation
Credentials should not be hard-coded
Risk: Critical
Code
Description
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed.
Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.
Noncompliant Code Example
$uname = "steve"; $password = "blue"; connect($uname, $password);
Compliant Solution
$uname = getEncryptedUser(); $password = getEncryptedPass(); connect($uname, $password);
See
- MITRE, CWE-798 - Use of Hard-coded Credentials
- MITRE, CWE-259 - Use of Hard-coded Password
- SANS Top 25 - Porous Defenses
- CERT, MSC03-J. - Never hard code sensitive information
- OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
- Derived from FindSecBugs rule Hard Coded Password
Recommendation
Remove this hard-coded password.
Horangi detected this issue on 2018-11-02 07:46:49
Finding on 018-07-05T09:01:42
Test
xss custom
Finding on 2018-06-22 07:22:53
- Name: X-Content-Type-Options Header Missing
- ID: beee7e4a229ed314de2b77563e117840
- Affected Hosts: ['https://ajaylns.github.io/']
- Description: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
- First seen: 2018-06-22 07:22:53
- Recommendation: Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing. - Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/beee7e4a229ed314de2b77563e117840
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 213
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: https://app.horangi.com/storyfier/detect?q=213
Finding on 2014-02-91
- Name: Buffer Underflow
- ID: 286d1706-316d-48ce-aaba-eef474c139cd
- Affected Hosts: 129.9.9.1
- Description: Dummy Description
- First seen: 2014-02-91
- Recommendation: rm -rf
- Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/286d1706-316d-48ce-aaba-eef474c139cd
Finding on 2018-06-29 07:30:43
- Name: TCP timestamps
- ID: 7f340ecb1473f944288ab7dd9d0211c7
- Affected Hosts: ['185.199.110.153']
- Description: It was detected that the host implements RFC1323.
- First seen: 2018-06-29 07:30:43
- Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
- Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/7f340ecb1473f944288ab7dd9d0211c7
X-Frame-Options Header Not Set
Details
- ID: 317b1721948ab675d6043ef0b86bac97
- Affected Hosts:
- First seen: 2018-08-15 05:50:15
Description
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Recommendation
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Web Browser XSS Protection Not Enabled
Details
- ID: a4ff8bf70b1215eda9c0ae050dbec6e8
- Affected Hosts: ['https://kolyaak.github.io/']
- First seen: 2018-02-01 10:36:21
Description
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
Recommendation:
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Finding on 018-07-05T09:01:42
Test
Finding on 2018-06-22 07:22:53
- Name: Incomplete or No Cache-control and Pragma HTTP Header Set
- ID: 31d0ed53a164148bf12befd10641ccd9
- Affected Hosts: ['https://ajaylns.github.io/']
- Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
- First seen: 2018-06-22 07:22:53
- Recommendation: Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
Finding on 2018-02-02 02:42:11
- Name: X-Frame-Options Header Not Set
- ID: 3336872c38e540f95a66cf4c0d9835ae
- Affected Hosts: ['http://coinonsale.com/']
- Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
- First seen: 2018-02-02 02:42:11
- Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/3336872c38e540f95a66cf4c0d9835ae
Finding on 2018-06-04 03:26:09
- Name: X-Frame-Options Header Not Set
- ID: c2686f9b7ec6d64f03eea649030e0947
- Affected Hosts: ['http://yachts.coinonsale.com:8080/']
- Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
- First seen: 2018-06-04 03:26:09
- Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947
Buffer Underflow
Details
- ID: drere
- Affected Hosts:
- 129.9.9.1
- 8.8.8.8
- First seen: 2014-02-91
Description
Dummy Description
Recommendation:
rm -rf
Finding on 2018-06-04 03:26:09
- Name: Web Browser XSS Protection Not Enabled
- ID: 81a57dfaf1a8d13d4b2be7ce4ed2e798
- Affected Hosts: ['http://yachts.coinonsale.com:8080/']
- Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
- First seen: 2018-06-04 03:26:09
- Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
- Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/81a57dfaf1a8d13d4b2be7ce4ed2e798
Finding on 018-07-05T09:01:42
Test
HTTP TRACE
Details
- ID: fd89c54cef331fcf8b924368b2c15fcb
- Affected Hosts: ['185.199.110.153']
- First seen: 2018-06-29 07:35:09
Description
The GET method revealed those proxies on the way to this web server :
HTTP/1.1 varnish
Recommendation:
Finding on 018-07-05T09:01:42
Test
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.