While scanning for these security header issues I see the majority of sites haven't got their http header policies set correctly to protect the site against potential attackers and protect the site's visitors. It seems there is an awful lot to be done to get website server configurations somewhat more secure and there is quite some further education required. Well at least the visitors of avast! sup[port forums can learn about existing insecurities here in the virus and worms section and take measures accordingly.Well look here:
https://asafaweb.com/Scan?Url=websitecookiechecker.comCustom errors: Fail
Requested URL:
http://websitecookiechecker.com/?foo=<script> | Response URL:
http://websitecookiechecker.com/?foo=<script> | Page title: A potentially dangerous Request.QueryString value was detected from the client (foo="<script>"). | HTTP status code: 500 (Internal server error) | Response size: 7,118 bytes | Duration: 304 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.
Result
It looks like custom errors are not correctly configured as the requested URL contains the heading "Server Error in".
Stack trace: Fail
Requested URL:
http://websitecookiechecker.com/?foo=<script> | Response URL:
http://websitecookiechecker.com/?foo=<script> | Page title: A potentially dangerous Request.QueryString value was detected from the client (foo="<script>"). | HTTP status code: 500 (Internal server error) | Response size: 7,118 bytes | Duration: 304 ms
Overview
Stack traces are used during the development process to provide verbose information when a server error occurs. This information can be leveraged to exploit the application as it discloses potentially sensitive information about the internal implementation of the website. Custom errors should be used to keep this information from view.
Result
It looks like a stack trace is being returned as detected by the presence of a "<b>Stack Trace:</b>" entry on the requested URL. Stack traces are particularly dangerous to expose publicly as they may contain code-level information about the page.
It's easy to hide the stack trace, just configure the web.config to ensure the mode is either "On" or "RemoteOnly"
Excessive headers: Warning
Requested URL:
http://websitecookiechecker.com/ | Response URL:
http://websitecookiechecker.com/ | Page title: Website Cookie Checker | EU Cookie Law Compliance | HTTP status code: 200 (OK) | Response size: 8,365 bytes | Duration: 357 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.
Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
Clickjacking: Warning
Requested URL:
http://websitecookiechecker.com/ | Response URL:
http://websitecookiechecker.com/ | Page title: Website Cookie Checker | EU Cookie Law Compliance | HTTP status code: 200 (OK) | Response size: 8,365 bytes | Duration: 357 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
Security Header scan:
X-Frame-Options
Uh oh! X-Frame-Options does not appear to be found in the site's HTTP header, increasing the likelihood of successful clickjacking attacks.
Strict-Transport-Security
Uh oh! Strict-Transport-Security does not appear to be found in the site's HTTP header, so browsers will not try to access your pages over SSL first.
Nosniff
Uh oh! nosniff does not appear to be found in the site's HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type.
X-XSS-Protection
Uh oh! We didn't detect any mention of X-XSS-Protection in headers anywhere, so there's likely room to improve if we want to be as secure as possible against cross site scripting.
Content Security Policy
Uh oh! We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site's HTTP header, making XSS attacks more likely to succeed.
Server Information
Uh oh! Server: was found in this site's HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site!
X-Powered-By
Uh oh! X-Powered-By was found in this site's HTTP header, making it easier for attackers to know about potential vulnerabilities that may exist on your site!
Cross Domain Meta Policy
Uh oh! Permitted-Cross-Domain-Policies does not appear to be found in the site's HTTP header, so it's possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files..
Some work for those responsible for that site's security.
Website risks:
http://toolbar.netcraft.com/site_report?url=http://websitecookiechecker.comSo http-security-headers that weren't returned include: x-content-type-options. x-xss-protection, x-frame-options and content-security-policy.
page meta-security headers that weren't returned include content-security-policy and cache-control
Code hick-up: websitecookiechecker dot com/ScriptResource.axd?d=mi2ZH1fhjHZa8nYCID6_oUwW1M6_Cz84w5TBnp9MEyWYA4qV4ZALFb4RzWIxQcwiCRkrANuK9d3SdecR_1eqFSM3kmq45jnS3LDfLWDNp-1fiE6cViGYfby1gIVEtMsRhB_qjGEybdwKGC1FJgKCFQ2&t=ffffffffe3663df5 benign
[nothing detected] (script) websitecookiechecker dot com/ScriptResource.axd?d=mi2ZH1fhjHZa8nYCID6_oUwW1M6_Cz84w5TBnp9MEyWYA4qV4ZALFb4RzWIxQcwiCRkrANuK9d3SdecR_1eqFSM3kmq45jnS3LDfLWDNp-1fiE6cViGYfby1gIVEtMsRhB_qjGEybdwKGC1FJgKCFQ2&t=ffffffffe3663df5
status: (referer=websitecookiechecker dot com/)saved 357822 bytes 6e913fcbf8ab07ae6b775df4ba7c9e6745633419
info: [decodingLevel=0] found JavaScript
suspicious:
No SSL support found -
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwebsitecookiechecker.com%2F&useragent=Fetch+useragent&accept_encoding=Was div.accordion Content checked for various div fails?
polonus
