SlideShare ist ein Scribd-Unternehmen logo

Application scan kompass_therapiebegleiter_de___2012_jun_29

R
rvamana
BildungTechnologie
1 von 17
Downloaden Sie, um offline zu lesen
Qualys, Inc 1600 Bridge Parkway Redwood Shores, CA 94065 (650) 801 6100 Scan Results Report Data Information Settings Type: WAS Scan Result Sort Criteria Sort by descending Severity Author: Daneian Easy Company: Johnson and Johnson Generation date: 09 Jul 2012 09:07AM GMT-0400 The scan completed successfully in 30 minutes, and 8 seconds. Scan Information Scan Summary Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk Scan Type Vulnerability Authentication Status None Launch Mode Scheduled Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38 Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links Target URL # Links In Queue 0 Links http://www.kompass-therapiebegleiter.de Authentication Record None Vulnerability Assessment Phase Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24 Scanner Applicance External # Requests 10,044
Findings By Type Sensitive Content By Group Vulnerabilities by Group / Level Name Level 1 Level 2 Level 3 Level 4 Level 5 Total XSS 0 0 0 0 0 0 SQL 0 0 0 0 0 0 PATH 0 0 0 0 0 0 INFO 10 0 1 0 0 11
Vulnerabilities by OWASP Top WASC Threats Code # Vulns A-1 0 A-2 0 A-3 0 A-4 0 A-5 0 A-6 1 A-7 0 A-8 0 A-9 0 A-10 0 Results QID: 150085 / Information Disclosure Slow HTTP POST vulnerability URL: https://www.kompass-therapiebegleiter.de/contactus CWE IDs: OWASP References: A6: Security Misconfiguration WASC References: Vulnerable Parameter: Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent connections More information can be found at the in this presentation. Impact: All other services remain intact but the web server itself becomes completely inaccessible. Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Easy to use tool for intrusive testing is available here. Results Authenticated: - Form Entry Point: - Payload : N/A
Result : Vulnerable to slow HTTP POST attack Server resets timeout after accepting request data from peer. QID: 6 / Information Gathered DNS Host Name CWE IDs: OWASP References: WASC References: Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. Impact: Solution: Results IP address Host name 77.246.41.39 No registered hostname QID: 45038 / Information Gathered Host Scan Time CWE IDs: OWASP References: WASC References: Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. Impact: N/A Solution: N/A Results
Scan duration: 1760 seconds Start time: Sun, Jul 01 2012, 05:00:17 GMT End time: Sun, Jul 01 2012, 05:29:37 GMT QID: 82040 / Information Gathered ICMP Replies Received CWE IDs: OWASP References: WASC References: Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. Impact: Solution: Results ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply QID: 150009 / Information Gathered Links Crawled CWE IDs: OWASP References: WASC References:
Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user. Impact: N/A Solution: N/A Results
Duration of crawl phase (seconds): 158.00 Number of links: 51 (This number excludes form requests and links re-requested during authentication.) http://www.kompass-therapiebegleiter.de/ http://www.kompass-therapiebegleiter.de/adherence http://www.kompass-therapiebegleiter.de/basic_info http://www.kompass-therapiebegleiter.de/contactus http://www.kompass-therapiebegleiter.de/datenschutz-glossar http://www.kompass-therapiebegleiter.de/impressum http://www.kompass-therapiebegleiter.de/index.php http://www.kompass-therapiebegleiter.de/legal_notice http://www.kompass-therapiebegleiter.de/misc/favicon.ico http://www.kompass-therapiebegleiter.de/privacy_policy http://www.kompass-therapiebegleiter.de/psychoedukation http://www.kompass-therapiebegleiter.de/shared_decision http://www.kompass-therapiebegleiter.de/sitemap http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js http://www.kompass-therapiebegleiter.de/therapy_planning https://www.kompass-therapiebegleiter.de/ https://www.kompass-therapiebegleiter.de/adherence https://www.kompass-therapiebegleiter.de/basic_info https://www.kompass-therapiebegleiter.de/contactus https://www.kompass-therapiebegleiter.de/contactus/ https://www.kompass-therapiebegleiter.de/contactus/confirm https://www.kompass-therapiebegleiter.de/datenschutz-glossar https://www.kompass-therapiebegleiter.de/impressum https://www.kompass-therapiebegleiter.de/legal_notice https://www.kompass-therapiebegleiter.de/misc/favicon.ico https://www.kompass-therapiebegleiter.de/privacy_policy https://www.kompass-therapiebegleiter.de/psychoedukation https://www.kompass-therapiebegleiter.de/shared_decision https://www.kompass-therapiebegleiter.de/sitemap https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js https://www.kompass-therapiebegleiter.de/therapy_planning QID: 150010 / Information Gathered
External Links Discovered CWE IDs: OWASP References: WASC References: Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. Impact: N/A Solution: N/A Results Number of links: 8 http://www.google-analytics.com/ga.js http://www.adobe.com/de/products/reader/ http://www.janssen-cilag.de/?product=kompass https://ssl.google-analytics.com/ga.js mailto:%5bno%20address%20given%5d mailto:datenschutz.jacde@jacde.jnj.com mailto:jancil@its.jnj.com http://tools.google.com/dlpage/gaoptout?hl=de QID: 150021 / Information Gathered Scan Diagnostics CWE IDs: OWASP References: WASC References: Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Solution: No action is required. Results
Loaded 0 blacklist entries. Loaded 0 whitelist entries. HTML form authentication unavailable, no WEBAPP entry found Collected 57 links overall. Path manipulation: estimated time < 1 minute (101 tests, 75 inputs) Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed. WS enumeration: estimated time < 1 minute (9 tests, 69 inputs) WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs) Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs) Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs) Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs) Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed. Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs) Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute. HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs) HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs) Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs) Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All tests completed. Header manipulation: estimated time < 1 minute (36 tests, 32 inputs) Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests completed. Total requests made: 10044 Average server response time: 0.55 seconds Most recent links: 200 https://www.kompass-therapiebegleiter.de/therapy_planning 200 https://www.kompass-therapiebegleiter.de/impressum 200 https://www.kompass-therapiebegleiter.de/psychoedukation 200 https://www.kompass-therapiebegleiter.de/privacy_policy 200 https://www.kompass-therapiebegleiter.de/basic_info 200 https://www.kompass-therapiebegleiter.de/contactus/confirm 200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar 200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js 200 https://www.kompass-therapiebegleiter.de/contactus/ 200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js QID: 150028 / Information Gathered Cookies Collected CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were received from the web application during the crawl phase. Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
Results Total cookies: 10 InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=1999908; httponly SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de __utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964 __utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764 __utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767964 current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de has_js=1; path=/; domain=www.kompass-therapiebegleiter.de QID: 150054 / Information Gathered Email Addresses Collected CWE IDs: OWASP References: WASC References: Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase. Impact: Email addresses may help a malicious user with brute force and phishing attacks. Solution: Review the email list to see if they are all email addresses you want to expose. Results Number of emails: 2 datenschutz.jacde@jacde.jnj.com jancil@its.jnj.com QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/basic_info CWE IDs: OWASP References: WASC References: Vulnerable Parameter:
Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/therapy_planning CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/sitemap CWE IDs: OWASP References: WASC References:
Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/shared_decision CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/
CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/privacy_policy CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure
Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/impressum CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/legal_notice CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/psychoedukation CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/adherence CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: -
Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150099 / Information Gathered Cookies Issued Without User Consent CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs. Impact: Cookies may be set without user explicitly agreeing to accept them. Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization. Results Total cookies: 6 SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999; httponly __utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999 __utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799 __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767999 has_js=1; path=/; domain=www.kompass-therapiebegleiter.de Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM Crawling Form Submission: POST & GET Maximum Link to Crawl: 500 Performance: LOW Sensitive Content Credit Card Numbers: No Social Security Numbers: No Custom: no Custom Checks:
Detection Option: COMPLETE Password Bruteforcing Option: MINIMAL Number of Attempts: - CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.

Empfohlen

Application scan
Application scanApplication scan
Application scanrvamana
 
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
 
How to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessHow to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessArianna Huffington
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Empfohlen

Application scan
Application scanApplication scan
Application scanrvamana
 
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Amazon Web Services
 
How to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessHow to Thrive: A Redefinition of Success
How to Thrive: A Redefinition of SuccessArianna Huffington
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxRAM LAL ANAND COLLEGE, DELHI UNIVERSITY.
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDDavid Douglas School District
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 

Kürzlich hochgeladen (20)

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 

Empfohlen

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Empfohlen (20)

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 

Application scan kompass_therapiebegleiter_de___2012_jun_29

  • 1. Qualys, Inc 1600 Bridge Parkway Redwood Shores, CA 94065 (650) 801 6100 Scan Results Report Data Information Settings Type: WAS Scan Result Sort Criteria Sort by descending Severity Author: Daneian Easy Company: Johnson and Johnson Generation date: 09 Jul 2012 09:07AM GMT-0400 The scan completed successfully in 30 minutes, and 8 seconds. Scan Information Scan Summary Title EMEA-Pharma-EXT-Prod-Quaterly-kompass-therapiebegleiter.de - 2012-Jun-29 Security Risk Scan Type Vulnerability Authentication Status None Launch Mode Scheduled Start Date 01 Jul 2012 01:00AM GMT-0400 Crawling Phase End Date 01 Jul 2012 01:30AM GMT-0400 Crawl Duration 00:02:38 Web Application kompass-therapiebegleiter.de # Links Crawled 51 Links Target URL # Links In Queue 0 Links http://www.kompass-therapiebegleiter.de Authentication Record None Vulnerability Assessment Phase Option Profile P&G-LC5H-LPF-MBTF-NSC_COM Assessment Time 00:26:24 Scanner Applicance External # Requests 10,044
  • 2. Findings By Type Sensitive Content By Group Vulnerabilities by Group / Level Name Level 1 Level 2 Level 3 Level 4 Level 5 Total XSS 0 0 0 0 0 0 SQL 0 0 0 0 0 0 PATH 0 0 0 0 0 0 INFO 10 0 1 0 0 11
  • 3. Vulnerabilities by OWASP Top WASC Threats Code # Vulns A-1 0 A-2 0 A-3 0 A-4 0 A-5 0 A-6 1 A-7 0 A-8 0 A-9 0 A-10 0 Results QID: 150085 / Information Disclosure Slow HTTP POST vulnerability URL: https://www.kompass-therapiebegleiter.de/contactus CWE IDs: OWASP References: A6: Security Misconfiguration WASC References: Vulnerable Parameter: Description: Application scanner discovered, that web application is probably vulnerable to slow HTTP POST DDoS attack - an application level (Layer 7) DDoS, that occurs when an attacker holds server connections open by sending properly crafted HTTP POST headers, that contain a legitimate Content-Length header to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.By waiting for complete request body, server supports clients with slow or intermittent connections More information can be found at the in this presentation. Impact: All other services remain intact but the web server itself becomes completely inaccessible. Solution: Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Easy to use tool for intrusive testing is available here. Results Authenticated: - Form Entry Point: - Payload : N/A
  • 4. Result : Vulnerable to slow HTTP POST attack Server resets timeout after accepting request data from peer. QID: 6 / Information Gathered DNS Host Name CWE IDs: OWASP References: WASC References: Description: The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. Impact: Solution: Results IP address Host name 77.246.41.39 No registered hostname QID: 45038 / Information Gathered Host Scan Time CWE IDs: OWASP References: WASC References: Description: The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. Impact: N/A Solution: N/A Results
  • 5. Scan duration: 1760 seconds Start time: Sun, Jul 01 2012, 05:00:17 GMT End time: Sun, Jul 01 2012, 05:29:37 GMT QID: 82040 / Information Gathered ICMP Replies Received CWE IDs: OWASP References: WASC References: Description: ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. Impact: Solution: Results ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply QID: 150009 / Information Gathered Links Crawled CWE IDs: OWASP References: WASC References:
  • 6. Description: The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user. Impact: N/A Solution: N/A Results
  • 7. Duration of crawl phase (seconds): 158.00 Number of links: 51 (This number excludes form requests and links re-requested during authentication.) http://www.kompass-therapiebegleiter.de/ http://www.kompass-therapiebegleiter.de/adherence http://www.kompass-therapiebegleiter.de/basic_info http://www.kompass-therapiebegleiter.de/contactus http://www.kompass-therapiebegleiter.de/datenschutz-glossar http://www.kompass-therapiebegleiter.de/impressum http://www.kompass-therapiebegleiter.de/index.php http://www.kompass-therapiebegleiter.de/legal_notice http://www.kompass-therapiebegleiter.de/misc/favicon.ico http://www.kompass-therapiebegleiter.de/privacy_policy http://www.kompass-therapiebegleiter.de/psychoedukation http://www.kompass-therapiebegleiter.de/shared_decision http://www.kompass-therapiebegleiter.de/sitemap http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf http://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js http://www.kompass-therapiebegleiter.de/therapy_planning https://www.kompass-therapiebegleiter.de/ https://www.kompass-therapiebegleiter.de/adherence https://www.kompass-therapiebegleiter.de/basic_info https://www.kompass-therapiebegleiter.de/contactus https://www.kompass-therapiebegleiter.de/contactus/ https://www.kompass-therapiebegleiter.de/contactus/confirm https://www.kompass-therapiebegleiter.de/datenschutz-glossar https://www.kompass-therapiebegleiter.de/impressum https://www.kompass-therapiebegleiter.de/legal_notice https://www.kompass-therapiebegleiter.de/misc/favicon.ico https://www.kompass-therapiebegleiter.de/privacy_policy https://www.kompass-therapiebegleiter.de/psychoedukation https://www.kompass-therapiebegleiter.de/shared_decision https://www.kompass-therapiebegleiter.de/sitemap https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_patient.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_komp_adherence_checkliste_umschlag.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_Titel.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Praxismodul_inhalt.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_Titel_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_SDM_Broschuere_Therapiebegleiter_inhalt_02.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_adherence_therapiebegleiter.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_infoletter_1.pdf https://www.kompass-therapiebegleiter.de/sites/kompass-therapiebegleiter.de/themes/kompass_de/files/jc_kompass_pe_cl_krisenbewaeltigung.pdf https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js https://www.kompass-therapiebegleiter.de/therapy_planning QID: 150010 / Information Gathered
  • 8. External Links Discovered CWE IDs: OWASP References: WASC References: Description: The external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled. Impact: N/A Solution: N/A Results Number of links: 8 http://www.google-analytics.com/ga.js http://www.adobe.com/de/products/reader/ http://www.janssen-cilag.de/?product=kompass https://ssl.google-analytics.com/ga.js mailto:%5bno%20address%20given%5d mailto:datenschutz.jacde@jacde.jnj.com mailto:jancil@its.jnj.com http://tools.google.com/dlpage/gaoptout?hl=de QID: 150021 / Information Gathered Scan Diagnostics CWE IDs: OWASP References: WASC References: Description: This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. Impact: The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. Solution: No action is required. Results
  • 9. Loaded 0 blacklist entries. Loaded 0 whitelist entries. HTML form authentication unavailable, no WEBAPP entry found Collected 57 links overall. Path manipulation: estimated time < 1 minute (101 tests, 75 inputs) Path manipulation: 101 vulnsigs tests, completed 3185 requests, 538 seconds. All tests completed. WS enumeration: estimated time < 1 minute (9 tests, 69 inputs) WS enumeration: 9 vulnsigs tests, completed 189 requests, 32 seconds. All tests completed. Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (43 tests, 0 inputs) Batch #1 URI parameter manipulation (no auth): 43 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (43 tests, 3 inputs) Batch #1 Form parameter manipulation (no auth): 43 vulnsigs tests, completed 301 requests, 179 seconds. All tests completed. Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 0 inputs) Batch #1 URI blind SQL manipulation (no auth): 19 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (19 tests, 3 inputs) Batch #1 Form blind SQL manipulation (no auth): 19 vulnsigs tests, completed 133 requests, 220 seconds. All tests completed. Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (8 tests, 0 inputs) Batch #1 Form field time-based tests (no auth): 8 vulnsigs tests, completed 56 requests, 103 seconds. No tests to execute. HTTP call manipulation: estimated time < 1 minute (32 tests, 0 inputs) HTTP call manipulation: 32 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Open Redirect analysis: estimated time < 1 minute (1 tests, 0 inputs) Open Redirect analysis: 1 vulnsigs tests, completed 0 requests, 0 seconds. No tests to execute. Cookie manipulation: estimated time < 1 minute (36 tests, 10 inputs) Cookie manipulation: 36 vulnsigs tests, completed 4725 requests, 428 seconds. XSS optimization removed 207 links. Completed 4725 requests of 11520 estimated requests (41%). All tests completed. Header manipulation: estimated time < 1 minute (36 tests, 32 inputs) Header manipulation: 36 vulnsigs tests, completed 768 requests, 84 seconds. XSS optimization removed 736 links. Completed 768 requests of 2304 estimated requests (33%). All tests completed. Total requests made: 10044 Average server response time: 0.55 seconds Most recent links: 200 https://www.kompass-therapiebegleiter.de/therapy_planning 200 https://www.kompass-therapiebegleiter.de/impressum 200 https://www.kompass-therapiebegleiter.de/psychoedukation 200 https://www.kompass-therapiebegleiter.de/privacy_policy 200 https://www.kompass-therapiebegleiter.de/basic_info 200 https://www.kompass-therapiebegleiter.de/contactus/confirm 200 https://www.kompass-therapiebegleiter.de/datenschutz-glossar 200 https://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_ba34bdc4c64a5162949a964e301494da.js 200 https://www.kompass-therapiebegleiter.de/contactus/ 200 http://www.kompass-therapiebegleiter.de/sites/stage-kompass-therapiebegleiter-de.emea.cl.datapipe.net/files/js/js_94c53da7596f5cc6e5bd8036e6307bdc.js QID: 150028 / Information Gathered Cookies Collected CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were received from the web application during the crawl phase. Impact: Cookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed. Solution: Review cookie values to ensure that sensitive information such as passwords are not present within them.
  • 10. Results Total cookies: 10 InquiryID=62955; path=/; domain=www.kompass-therapiebegleiter.de SESSa1d09bb6cc6d03301008ba39ec8b2506=vg9kj6u8nujbcmg4r4p241bgvij93mbu; expires=Tue Jul 24 01:35:01 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=1999908; httponly SESSa1d09bb6cc6d03301008ba39ec8b2506=v62ptgn01p4ajr3i4emm1jarrhlddlil; path=/; domain=www.kompass-therapiebegleiter.de __utma=153766946.1204051642.1341118844.1341118844.1341118844.1; expires=Mon Jun 30 22:02:37 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071964 __utmb=153766946.2.10.1341118844; expires=Sat Jun 30 22:32:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1764 __utmb=153766946.1.10.1341118844; path=/; domain=www.kompass-therapiebegleiter.de __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:02:37 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767964 current_time=1341118900; path=/; domain=www.kompass-therapiebegleiter.de has_js=1; path=/; domain=www.kompass-therapiebegleiter.de QID: 150054 / Information Gathered Email Addresses Collected CWE IDs: OWASP References: WASC References: Description: The email addresses listed in the Results section were collected from the returned HTML content during the crawl phase. Impact: Email addresses may help a malicious user with brute force and phishing attacks. Solution: Review the email list to see if they are all email addresses you want to expose. Results Number of emails: 2 datenschutz.jacde@jacde.jnj.com jancil@its.jnj.com QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/basic_info CWE IDs: OWASP References: WASC References: Vulnerable Parameter:
  • 11. Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/therapy_planning CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/sitemap CWE IDs: OWASP References: WASC References:
  • 12. Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/shared_decision CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/
  • 13. CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/privacy_policy CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure
  • 14. Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/impressum CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/legal_notice CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present.
  • 15. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/psychoedukation CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: - Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150081 / Information Disclosure Possible Clickjacking Vulnerability URL: http://www.kompass-therapiebegleiter.de/adherence CWE IDs: OWASP References: WASC References: Vulnerable Parameter: Description: An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Impact: Attacks like CSRF can be performed using Clickjacking techniques. Solution: Two of the most popular preventions are: X-Frame-Options: This header works with most of the modern browsers and can be used to prevent framing of the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. Results Authenticated: - Form Entry Point: -
  • 16. Payload : N/A Result : The response for this request did not have an "X-FRAME-OPTIONS" header present. QID: 150099 / Information Gathered Cookies Issued Without User Consent CWE IDs: OWASP References: WASC References: Description: The cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs. Impact: Cookies may be set without user explicitly agreeing to accept them. Solution: Review the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization. Results Total cookies: 6 SESSa1d09bb6cc6d03301008ba39ec8b2506=fa7qu4blostqinffatpvuakqbtj2hpmo; expires=Tue Jul 24 01:36:32 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1999999; httponly __utma=153766946.587451473.1341118993.1341118993.1341118993.1; expires=Mon Jun 30 22:03:12 2014; path=/; domain=.kompass-therapiebegleiter.de; max-age=63071999 __utmb=153766946.1.10.1341118993; expires=Sat Jun 30 22:33:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max-age=1799 __utmc=153766946; path=/; domain=.kompass-therapiebegleiter.de __utmz=153766946.1341118993.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); expires=Sun Dec 30 09:03:12 2012; path=/; domain=.kompass-therapiebegleiter.de; max- age=15767999 has_js=1; path=/; domain=www.kompass-therapiebegleiter.de Appendix - Web Application Profile : P&G-LC5H-LPF-MBTF-NSC_COM Crawling Form Submission: POST & GET Maximum Link to Crawl: 500 Performance: LOW Sensitive Content Credit Card Numbers: No Social Security Numbers: No Custom: no Custom Checks:
  • 17. Detection Option: COMPLETE Password Bruteforcing Option: MINIMAL Number of Attempts: - CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2012, Qualys, Inc.