ajaylns / ajaylns.github.io Goto Github PK

Details

• ID: a5fc6f5692ed622b015001bb62a7fa4f
• Affected Hosts:
  • https://ajaylns.github.io/sitemap.xml
• First seen: 2018-08-15 05:50:15

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

Recommendation

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Details

• ID: 31d0ed53a164148bf12befd10641ccd9
• Affected Hosts:
  • https://ajaylns.github.io/
• First seen: 2018-08-15 05:50:15

Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

Recommendation

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

• Name: Web Browser XSS Protection Not Enabled
• ID: b8075bb54074179c133479d4b2785d47
• Affected Hosts: ['https://ajaylns.github.io/']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-22 07:22:53
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213

Test

• Name: Web Browser XSS Protection Not Enabled
• ID: e402e12a36cc4e78609a3e1c12e25608
• Affected Hosts: ['http://yachts.coinonsale.com:8080']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-08 08:13:00
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/e402e12a36cc4e78609a3e1c12e25608

{'name': 'Buffer Underflow', 'description': 'Dummy Description', 'affected_hosts': '129.9.9.1', 'first_seen': '2014-02-91', 'severity': 'low', 'recommendation': 'rm -rf'}

• Name: Web Browser XSS Protection Not Enabled
• ID: a5fc6f5692ed622b015001bb62a7fa4f
• Affected Hosts: ['https://ajaylns.github.io/sitemap.xml']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-22 07:22:53
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/a5fc6f5692ed622b015001bb62a7fa4f

• Name: Web Browser XSS Protection Not Enabled
• ID: a5fc6f5692ed622b015001bb62a7fa4f
• Affected Hosts: ['https://ajaylns.github.io/sitemap.xml']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-22 07:22:53
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/a5fc6f5692ed622b015001bb62a7fa4f

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect?q=213

Details

• ID: e765ef782e08f90dd83dcd11aec70edc
• Affected Hosts: ['185.199.110.153']
• First seen: 2018-08-10 08:27:22

Description

It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 162373903
Packet 2: 143333676

Recommendation:

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps

• Name: Buffer Underflow
• ID: cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/cbece960-dfc2-4d31-a3e9-5c74d95ea9f8

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: 2019-03-20 01:00:00.759000

Description

random description

Recommendation

random recommendation

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213

Description

random description

Recommendation

random recommendation

Affected Hosts

• Affected Hosts:
  • 86.32.33.46

Horangi detected this issue on 2019-03-20 01:00:00.759000

• Name: Web Browser XSS Protection Not Enabled
• ID: 71b8fa3f6d739b292688c93893f71303
• Affected Hosts: ['https://ajaylns.github.io/robots.txt']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-22 07:22:53
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/71b8fa3f6d739b292688c93893f71303

Details

• ID: beee7e4a229ed314de2b77563e117840
• Affected Hosts:
  • https://ajaylns.github.io/
• First seen: 2018-08-15 05:50:15

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Recommendation

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

• Name: X-Frame-Options Header Not Set
• ID: c2686f9b7ec6d64f03eea649030e0947
• Affected Hosts: ['http://yachts.coinonsale.com:8080/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-06-04 03:26:09
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947

• Name: Buffer Underflow
• ID: cbece960-dfc2-4d31-a3e9-5c74d95ea9f8
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/cbece960-dfc2-4d31-a3e9-5c74d95ea9f8

• Name: X-Frame-Options Header Not Set
• ID: 317b1721948ab675d6043ef0b86bac97
• Affected Hosts: ['https://ajaylns.github.io/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-06-22 07:22:53
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/317b1721948ab675d6043ef0b86bac97

• Name: Buffer Underflow
• ID: <% id %>
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: <% link %>

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213

Details

• ID: drere
• Affected Hosts:

• 129.9.9.1
• 8.8.8.8

• First seen: 2014-02-91

Description

Dummy Description

Recommendation:

rm -rf

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/213

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: 2019-03-20 01:00:00.759000

Description

random description

Recommendation

random recommendation

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: 2019-03-20 01:00:00.759000

Description

random description

Recommendation

random recommendation

Details

• ID: e0eb2ad08f505b88d610f247663ec801
• Affected Hosts:
  • 185.199.111.153
• First seen: 2018-09-28 08:34:23

Description

It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1178230214
Packet 2: 1222127495

Recommendation

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps

• Name: TCP timestamps
• ID: 7f340ecb1473f944288ab7dd9d0211c7
• Affected Hosts: ['185.199.110.153']
• Description: It was detected that the host implements RFC1323.
• First seen: 2018-06-29 07:30:43
• Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/7f340ecb1473f944288ab7dd9d0211c7

• Name: X-Frame-Options Header Not Set
• ID: c2686f9b7ec6d64f03eea649030e0947
• Affected Hosts: ['http://yachts.coinonsale.com:8080/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-06-04 03:26:09
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: <% link %>

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: 2019-03-20 01:00:00.759000

Description

random description

Recommendation

random recommendation

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: <% first_seen %>

Description

random description

Recommendation

random recommendation

Risk: Critical

Code

https://bitbucket.org/andrianoh/sonar-lang-test/src/f5389f8733871d071fa933b76bdd0b4ad9939962/hello-php.php?fileviewer=file-view-default#hello-php.php-7

Description

Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed.

Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.

Noncompliant Code Example

$uname = "steve";
$password = "blue";
connect($uname, $password);

Compliant Solution

$uname = getEncryptedUser();
$password = getEncryptedPass();
connect($uname, $password);

See

• MITRE, CWE-798 - Use of Hard-coded Credentials
• MITRE, CWE-259 - Use of Hard-coded Password
• SANS Top 25 - Porous Defenses
• CERT, MSC03-J. - Never hard code sensitive information
• OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
• Derived from FindSecBugs rule Hard Coded Password

Recommendation

Remove this hard-coded password.

Horangi detected this issue on 2018-11-02 07:46:49

Test

Details

• ID: ade76d29-398c-498c-b135-67a5dd34670a
• Affected Hosts:
  • 86.32.33.46
• First seen: 2019-03-20 01:00:00.759000

Description

random description

Recommendation

random recommendation

• Name: X-Content-Type-Options Header Missing
• ID: beee7e4a229ed314de2b77563e117840
• Affected Hosts: ['https://ajaylns.github.io/']
• Description: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
• First seen: 2018-06-22 07:22:53
• Recommendation: Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
  If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/beee7e4a229ed314de2b77563e117840

• Name: Buffer Underflow
• ID: 213
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: https://app.horangi.com/storyfier/detect?q=213

• Name: Buffer Underflow
• ID: 286d1706-316d-48ce-aaba-eef474c139cd
• Affected Hosts: 129.9.9.1
• Description: Dummy Description
• First seen: 2014-02-91
• Recommendation: rm -rf
• Source Link: /storyfier/detect/c243c7bc-4de2-4156-a135-8b5dbd6df4b2/286d1706-316d-48ce-aaba-eef474c139cd

• Name: TCP timestamps
• ID: 7f340ecb1473f944288ab7dd9d0211c7
• Affected Hosts: ['185.199.110.153']
• Description: It was detected that the host implements RFC1323.
• First seen: 2018-06-29 07:30:43
• Recommendation: To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps
• Source Link: https://client.dev1.horangi.com/storyfier/detect/a6ec8942-871c-4522-aa2f-3002d84245a7/7f340ecb1473f944288ab7dd9d0211c7

Details

• ID: 317b1721948ab675d6043ef0b86bac97
• Affected Hosts:
  • https://ajaylns.github.io/
• First seen: 2018-08-15 05:50:15

Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

Recommendation

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Details

• ID: a4ff8bf70b1215eda9c0ae050dbec6e8
• Affected Hosts: ['https://kolyaak.github.io/']
• First seen: 2018-02-01 10:36:21

Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

Recommendation:

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Test

• Name: Incomplete or No Cache-control and Pragma HTTP Header Set
• ID: 31d0ed53a164148bf12befd10641ccd9
• Affected Hosts: ['https://ajaylns.github.io/']
• Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
• First seen: 2018-06-22 07:22:53
• Recommendation: Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

• Name: X-Frame-Options Header Not Set
• ID: 3336872c38e540f95a66cf4c0d9835ae
• Affected Hosts: ['http://coinonsale.com/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-02-02 02:42:11
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/3336872c38e540f95a66cf4c0d9835ae

• Name: X-Frame-Options Header Not Set
• ID: c2686f9b7ec6d64f03eea649030e0947
• Affected Hosts: ['http://yachts.coinonsale.com:8080/']
• Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
• First seen: 2018-06-04 03:26:09
• Recommendation: Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/c2686f9b7ec6d64f03eea649030e0947

Details

• ID: drere
• Affected Hosts:
  • 129.9.9.1
  • 8.8.8.8
• First seen: 2014-02-91

Description

Dummy Description

Recommendation:

rm -rf

• Name: Web Browser XSS Protection Not Enabled
• ID: 81a57dfaf1a8d13d4b2be7ce4ed2e798
• Affected Hosts: ['http://yachts.coinonsale.com:8080/']
• Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
• First seen: 2018-06-04 03:26:09
• Recommendation: Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
• Source Link: https://staging.horangi.com/storyfier/detect/f34a65ab-6957-4b0c-a761-ab58391142ba/81a57dfaf1a8d13d4b2be7ce4ed2e798

Test

Details

• ID: fd89c54cef331fcf8b924368b2c15fcb
• Affected Hosts: ['185.199.110.153']
• First seen: 2018-06-29 07:35:09

Description

The GET method revealed those proxies on the way to this web server :
HTTP/1.1 varnish

Recommendation:

Test