Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Pentest-Bukalapak-Marzuki Hasibuan.pdf

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
12/8/22, 10:28 PM ZAP Scanning Report
file:///G:/PENTEST BUKALAPAK/Report.html 1/420
ZAP Scanning Report
Summary of Alerts...
12/8/22, 10:28 PM ZAP Scanning Report
file:///G:/PENTEST BUKALAPAK/Report.html 2/420
For example, consider using the ESAPI...
12/8/22, 10:28 PM ZAP Scanning Report
file:///G:/PENTEST BUKALAPAK/Report.html 3/420
Source ID 1
Medium (Medium) Cross-Dom...
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
SERTIFIKAT FILE.pdf
SERTIFIKAT FILE.pdf
Wird geladen in …3
×

Hier ansehen

1 von 420 Anzeige
Anzeige

Weitere Verwandte Inhalte

Aktuellste (20)

Anzeige

Pentest-Bukalapak-Marzuki Hasibuan.pdf

  1. 1. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 1/420 ZAP Scanning Report Summary of Alerts Risk Level Number of Alerts High 1 Medium 62 Low 147 Informational 52 Alert Detail High (Medium) Remote OS Command Injection Description Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. URL http://m.bukalapak.com/listrik-pln/token-listrik?from=mweb_homepage%22%3Bsleep+15%3B%22 Method GET Parameter from Attack mweb_homepage";sleep 15;" URL http://m.bukalapak.com/tiket-pesawat?desktop_view=1&from=mweb_homepage%3Bsleep+15%3B Method GET Parameter from Attack mweb_homepage;sleep 15; URL http://m.bukalapak.com/kereta-api? desktop_view=1&from=mweb_homepage%22%3Bsleep+15%3B%22 Method GET Parameter from Attack mweb_homepage";sleep 15;" Instances 3 Solution If at all possible, use library calls rather than external processes to recreate the desired functionality. Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. For any data that will be used to generate a command to be executed, keep as much of that data out of external control as possible. For example, in web applications, this may require storing the command locally in the session's state instead of sending it out to the client in a hidden form field. Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  2. 2. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 2/420 For example, consider using the ESAPI Encoding control or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. If you need to use dynamically-generated query strings or commands in spite of the risk, properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict whitelist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection. If the program to be executed allows arguments to be specified within an input file or from standard input, then consider using that mode to pass arguments instead of the command line. If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments. Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue." When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like ";" and ">" characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Reference http://cwe.mitre.org/data/definitions/78.html https://owasp.org/www-community/attacks/Command_Injection CWE Id 78 WASC Id 31
  3. 3. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 3/420 Source ID 1 Medium (Medium) Cross-Domain Misconfiguration Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server URL https://s0.bukalapak.com/images/cs-bl-map-location.png Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/webpack/category_navbar-0321ff6561b5067c6601.js Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/bazaar-dweb/snowflake/bazaar@2.16.0.css Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/bazaar-dweb/base/utils@2.17.0.css Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/webpack/user_sessions/login_stripped-968adbaff204b1b24fb5.js Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/bazaar-dweb/base/bazaar@2.30.1.css Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence Access-Control-Allow-Origin: * URL https://s0.bukalapak.com/ast/bazaar-dweb/base/global@0.10.0.css Method GET Evidence Access-Control-Allow-Origin: * Instances 8 Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white- listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Other information The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. Reference http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html CWE Id 264
  4. 4. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 4/420 WASC Id 14 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://s0.bukalapak.com Method GET Parameter X-Frame-Options URL http://s0.bukalapak.com/ Method GET Parameter X-Frame-Options Instances 2 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) Cross-Domain Misconfiguration Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server URL http://s0.bukalapak.com/panduan-belanja?category=pembayaran_tab Method GET Evidence Access-Control-Allow-Origin: * URL http://s0.bukalapak.com/online/ Method GET Evidence Access-Control-Allow-Origin: * Instances 2 Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white- listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Other information The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. Reference http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html CWE Id 264 WASC Id 14
  5. 5. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 5/420 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://s.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://respiratorycare.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://push.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
  6. 6. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 6/420 Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://pop3.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://pop.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) Cross-Domain Misconfiguration Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server URL http://panduan.bukalapak.com Method GET Evidence Access-Control-Allow-Origin: * Instances 1
  7. 7. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 7/420 Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white- listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Other information The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. Reference http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html CWE Id 264 WASC Id 14 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://em.noreply.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://mx.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3
  8. 8. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 8/420 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://mitra.bukalapak.com/artikel/112482/mengapa-lebih-untung-menabung-emas-digital-daripada- perhiasan-atau-fisik Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/kategori/kisah-mitra Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/109321/sameday-delivery-service-pesan-stok-barang-hari-ini- sampai-hari-ini Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112406/juwita-juwara-warung-ter-jelita Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112481/serba-serbi-fitur-tabungan-emas Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112495/tabungan-emas-sekarang-bisa-bantu-pelanggan-naik-haji Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112496/baru-dari-mitra-bukalapak-tabungan-emas-bisa-jamin- naik-haji Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112598/ini-keuntungan-nabung-emas-di-mitra-bukalapak Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112344/aktivasi-fitur-kirim-uang-raih-bonus-rp5-000 Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112523/viral-juwara-video-review-ala-juwara Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/109179/belanja-stok-barang-mudah-dengan-metode-cod-untuk- kamu-yang-suka-transaksi-tunai Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel Method GET
  9. 9. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 9/420 Parameter X-Frame-Options URL https://mitra.bukalapak.com/grosir Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/112483/warung-kamu-butuh-modal-mitra-bukalapak-kasih-solusi Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/artikel/kategori/akademi-mitra Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/sebar-poster/47 Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/search Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/paket-data/pricelist Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/tentang-mitra/faq Method GET Parameter X-Frame-Options URL https://mitra.bukalapak.com/pulsa/pricelist Method GET Parameter X-Frame-Options Instances 50 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://mitra.bukalapak.com Method GET Parameter X-Frame-Options Instances 1
  10. 10. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 10/420 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://maskedempire.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://mask6.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://mask.bukalapak.com
  11. 11. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 11/420 Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://maschera.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://mail.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set
  12. 12. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 12/420 Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://m.bukalapak.com/c/komputer/server Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/mobil-part-dan-aksesoris/interior-mobil Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/p/handphone/aksesoris-handphone/baterai-176/21tpdml-jual-baterai- polytron-zap-5-4g-450-4g450-pl-6r5c-double-ic-protection-batre-batrei-battery-batrai-baterei-batere- batrey-handphone-hp-original-power?cf=1&from=list- product&funnel=omnisearch&keyword=ZAP&pos=5&product_owner=seller_brand&promoted=1&sea rch_sort_default=true&sort_origin=relevansi&ssa=0 Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/handphone/aksesoris-handphone Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/handphone/power-bank Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/perlengkapan-bayi/feeding-nursing Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/games/counter-strike Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/fashion-wanita/kaos Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/elektronik/setrika-steamer Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/fashion-wanita/bahan-kain Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/fashion-pria/pakaian-dalam Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/industrial/peralatan-medis-laboratori Method GET Parameter X-Frame-Options
  13. 13. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 13/420 URL https://m.bukalapak.com/c/fashion-wanita/dompet Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/c/media/video Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/p/handphone/aksesoris-handphone/baterai-176/oep9lk-jual-baterai-logon- polytron-zap-6note-4g-550?cf=1&from=list- product&funnel=omnisearch&keyword=ZAP&pos=41&product_owner=normal_seller&promoted=1&s earch_sort_default=true&sort_origin=relevansi&ssa=1 Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/p/handphone/aksesoris-handphone/baterai-176/21tmh1l-jual-baterai- polytron-zap-6-flaz-4g-503-4g503-pl-8an5-double-ic-protection-batre-batrei-battery-batrai-baterei- batere-batrey-handphone-hp-original-power?cf=1&from=list- product&funnel=omnisearch&keyword=ZAP&pos=3&product_owner=seller_brand&promoted=1&sea rch_sort_default=true&sort_origin=relevansi&ssa=0 Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/p/handphone/aksesoris-handphone/baterai-176/frmaqa-jual-baterai- handphone-polytron-zap-5-4g450-pl-6r5c-original-batu-batre-oem-polytron-zap-5-battery-4g450? cf=1&from=list- product&funnel=omnisearch&keyword=ZAP&pos=26&product_owner=normal_seller&promoted=0&s earch_sort_default=true&sort_origin=relevansi&ssa=1 Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/olahraga/exercise-fitness Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/mobil-part-dan-aksesoris/mesin-mobil Method GET Parameter X-Frame-Options URL https://m.bukalapak.com/amp/c/kamera/memory-card-194 Method GET Parameter X-Frame-Options Instances 662 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) Cross-Domain Misconfiguration
  14. 14. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 14/420 Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server URL https://m.bukalapak.com/online/ Method GET Evidence Access-Control-Allow-Origin: * URL https://m.bukalapak.com/panduan-belanja Method GET Evidence Access-Control-Allow-Origin: * URL https://m.bukalapak.com/panduan-belanja?category=pembayaran_tab Method GET Evidence Access-Control-Allow-Origin: * Instances 3 Solution Ensure that sensitive data is not available in an unauthenticated manner (using IP address white- listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. Other information The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. Reference http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html CWE Id 264 WASC Id 14 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://m.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set
  15. 15. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 15/420 Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://llb-cgk-dc3.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://latexmask.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://imap4.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16
  16. 16. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 16/420 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://imap.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://grosir.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://gosok.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the
  17. 17. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 17/420 page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://geoinfection.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://foxmask.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://festivaliklan.bukalapak.com Method GET Parameter X-Frame-Options
  18. 18. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 18/420 Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://fernsehen.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://faezamaska.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
  19. 19. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 19/420 URL http://csanalyst.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://coronax.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://74b0722c.connect.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3
  20. 20. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 20/420 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://62c2238b.connect.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://57721163.connect.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://3a958cee.connect.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  21. 21. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 21/420 CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://0d02d953.connect.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://careers.bukalapak.com/ Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://careers.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g.
  22. 22. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 22/420 it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://c11.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://c0.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://www.bukudbr.bukalapak.com Method GET
  23. 23. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 23/420 Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://bukapotensi.bukalapak.com/general/inside-bukalapak-how-i-landed-a-product-design-job-at- 18-for-one-of-indonesias-unicorns/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukamagang/life-as-data-analyst-intern-at-bukalapak/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukamagang/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/?s Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/updates/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukariset/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/category/general/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukabeasiswa/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/faq/ Method GET Parameter X-Frame-Options
  24. 24. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 24/420 URL https://bukapotensi.bukalapak.com/category/bukamagang/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukafigur/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukamagang/how-it-feels-to-be-a-backend-engineer-intern-at- bukalapak/ Method GET Parameter X-Frame-Options URL https://bukapotensi.bukalapak.com/bukariset/topics/ Method GET Parameter X-Frame-Options Instances 14 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://bukapotensi.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set
  25. 25. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 25/420 Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://bukainfo.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://bukabantuan.bukalapak.com/ Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) CSP Scanner: Wildcard Directive Description The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: frame-ancestors URL https://bukabantuan.bukalapak.com/auth Method GET Parameter Content-Security-Policy Evidence default-src 'none' Instances 1 Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. Reference http://www.w3.org/TR/CSP2/ http://www.w3.org/TR/CSP/
  26. 26. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 26/420 http://caniuse.com/#search=content+security+policy http://content-security-policy.com/ https://github.com/shapesecurity/salvation CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://bukabantuan.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL https://blog.bukalapak.com/ Method GET Parameter X-Frame-Options URL https://blog.bukalapak.com/?keyword=ZAP Method GET Parameter X-Frame-Options Instances 2 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set
  27. 27. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 27/420 Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://blog.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://blackvirus.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://bkykvrjffnvmofsemfmingxwjasrkiaaqujhovbm.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16
  28. 28. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 28/420 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://belajar.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://bbm-service.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://agen.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the
  29. 29. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 29/420 page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://3rd-service-2.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://3rd-service-1.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://33www.bukalapak.com Method GET Parameter X-Frame-Options
  30. 30. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 30/420 Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://2fwww.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Medium (Medium) X-Frame-Options Header Not Set Description X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks. URL http://252fwww.bukalapak.com Method GET Parameter X-Frame-Options Instances 1 Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options CWE Id 16 WASC Id 15 Source ID 3 Low (Medium) Cross-Domain JavaScript Source File Inclusion Description The page includes one or more script files from a third-party domain. URL https://s0.bukalapak.com/c/tiket-voucher
  31. 31. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 31/420 Method GET Parameter https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js"> </script> URL https://s0.bukalapak.com/404?from=nav_header Method GET Parameter https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js Evidence <script src="https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js"></script> URL https://s0.bukalapak.com/c/sepeda Method GET Parameter https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js Evidence <script src="https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js" class="js-application- script"></script> URL https://s0.bukalapak.com/merk Method GET Parameter https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js"> </script> URL https://s0.bukalapak.com/c/fashion-pria Method GET Parameter https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js Evidence <script src="https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js"></script> URL https://s0.bukalapak.com/c/perlengkapan-kantor Method GET Parameter https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js Evidence <script async src='https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js'></script> URL https://s0.bukalapak.com/manfaat Method GET Parameter https://www.googletagservices.com/tag/js/gpt.js Evidence <script async='' src='https://www.googletagservices.com/tag/js/gpt.js' type='text/javascript'></script> URL https://s0.bukalapak.com/mobile-apps?from=nav_header Method GET Parameter https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader-a9128efe32ee9df004af.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader- a9128efe32ee9df004af.js"></script> URL https://s0.bukalapak.com/404 Method GET Parameter https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader-a9128efe32ee9df004af.js
  32. 32. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 32/420 Evidence <script src="https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader- a9128efe32ee9df004af.js"></script> URL https://s0.bukalapak.com/c/kamera Method GET Parameter https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js Evidence <script async src='https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js'></script> URL https://s0.bukalapak.com/c/fashion-wanita Method GET Parameter https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js Evidence <script src="https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js" class="js-application- script"></script> URL https://s0.bukalapak.com/c/motor-471 Method GET Parameter https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js Evidence <script src="https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js" class="js-application- script"></script> URL https://s0.bukalapak.com/affiliate Method GET Parameter https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader-a9128efe32ee9df004af.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader- a9128efe32ee9df004af.js"></script> URL https://s0.bukalapak.com/faq Method GET Parameter https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js Evidence <script async src='https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js'></script> URL https://s0.bukalapak.com/c/elektronik Method GET Parameter https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js Evidence <script src='https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js'></script> URL https://s0.bukalapak.com/?from=nav_header Method GET Parameter https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js Evidence <script src='https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js'></script> URL https://s0.bukalapak.com/panduan_keamanan Method GET Parameter https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js Evidence <script src="https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js" class="js-polyfills- script"></script> URL https://s0.bukalapak.com/c/perawatan-kecantikan
  33. 33. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 33/420 Method GET Parameter https://www.googletagservices.com/tag/js/gpt.js Evidence <script async='' src='https://www.googletagservices.com/tag/js/gpt.js' type='text/javascript'></script> URL https://s0.bukalapak.com/manfaat Method GET Parameter https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader-a9128efe32ee9df004af.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/grandfleet/fragment_loader- a9128efe32ee9df004af.js"></script> URL https://s0.bukalapak.com/bukapengadaan/ Method GET Parameter https://static-morpheus.bukalapak.com/assets/custom- elements/vendor~b916e1a4.311f197e8bdefab20f41.61856d9ba42c54e8d236.min.js Evidence <script type="text/javascript" src="https://static-morpheus.bukalapak.com/assets/custom- elements/vendor~b916e1a4.311f197e8bdefab20f41.61856d9ba42c54e8d236.min.js"></script> Instances 347 Solution Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application. Reference CWE Id 829 WASC Id 15 Source ID 3 Low (Medium) X-Content-Type-Options Header Missing Description The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing. URL https://s0.bukalapak.com/ast/bazaar-dweb/base/utils@2.17.0.css Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/webpack/user_sessions/login_stripped-968adbaff204b1b24fb5.js Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/bazaar-dweb/base/bazaar@2.30.1.css Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/bazaar-dweb/snowflake/bazaar@2.16.0.css Method GET Parameter X-Content-Type-Options
  34. 34. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 34/420 URL https://s0.bukalapak.com/manifest-new-logo.json Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/images/cs-bl-map-location.png Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/bazaar-dweb/base/global@0.10.0.css Method GET Parameter X-Content-Type-Options URL https://s0.bukalapak.com/ast/webpack/category_navbar-0321ff6561b5067c6601.js Method GET Parameter X-Content-Type-Options Instances 9 Solution Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing. Other information This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scanner will not alert on client or server error responses. Reference http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx https://owasp.org/www-community/Security_Headers CWE Id 16 WASC Id 15 Source ID 3 Low (Medium) Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Description The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. URL https://s0.bukalapak.com/c?from=nav_header Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/olahraga Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/login?from=nav_header Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/food
  35. 35. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 35/420 Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/fashion-pria Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/404?from=nav_header Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/mobil-part-dan-aksesoris Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/komputer Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/faq Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/kamera Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/perlengkapan-kantor Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/send_app_link Method POST Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/hobi-koleksi Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/tiket-voucher Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/affiliate Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/perawatan-kecantikan Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/bukapengadaan/ Method GET
  36. 36. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 36/420 Evidence X-Powered-By: Express URL https://s0.bukalapak.com/c/fashion-wanita Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/c/sepeda Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 URL https://s0.bukalapak.com/privacy Method GET Evidence X-Powered-By: Phusion Passenger 5.3.2 Instances 38 Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress "X- Powered-By" headers. Reference http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html CWE Id 200 WASC Id 13 Source ID 3 Low (Medium) Cookie Without Secure Flag Description A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections. URL https://s0.bukalapak.com/404?from=nav_header Method GET Parameter lskjfewjrh34ghj23brjh234 Evidence Set-Cookie: lskjfewjrh34ghj23brjh234 URL https://s0.bukalapak.com/404?from=nav_header Method GET Parameter _mkra_ctxt Evidence Set-Cookie: _mkra_ctxt URL https://s0.bukalapak.com/404 Method GET Parameter lskjfewjrh34ghj23brjh234 Evidence Set-Cookie: lskjfewjrh34ghj23brjh234 URL https://s0.bukalapak.com/bl/pulsa?from=nav_header Method GET Parameter _stepmother_session Evidence Set-Cookie: _stepmother_session URL https://s0.bukalapak.com/404 Method GET Parameter _mkra_ctxt
  37. 37. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 37/420 Evidence Set-Cookie: _mkra_ctxt URL https://s0.bukalapak.com/bukapengadaan/ Method GET Parameter _stepmother_session Evidence Set-Cookie: _stepmother_session Instances 6 Solution Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. Reference https://owasp.org/www-project-web-security-testing-guide/v41/4- Web_Application_Security_Testing/06-Session_Management_Testing/02- Testing_for_Cookies_Attributes.html CWE Id 614 WASC Id 13 Source ID 3 Low (Medium) Incomplete or No Cache-control and Pragma HTTP Header Set Description The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content. URL https://s0.bukalapak.com/about Method GET Parameter Cache-Control URL https://s0.bukalapak.com/ast/bazaar-dweb/base/utils@2.17.0.css Method GET Parameter Cache-Control Evidence public, max-age=10368000 URL https://s0.bukalapak.com/manifest-new-logo.json Method GET Parameter Cache-Control URL https://s0.bukalapak.com/ast/bazaar-dweb/snowflake/bazaar@2.16.0.css Method GET Parameter Cache-Control Evidence public, max-age=10368000 URL https://s0.bukalapak.com/ast/bazaar-dweb/base/global@0.10.0.css Method GET Parameter Cache-Control Evidence public, max-age=10368000 URL https://s0.bukalapak.com/ast/bazaar-dweb/base/bazaar@2.30.1.css Method GET Parameter Cache-Control Evidence public, max-age=10368000 URL https://s0.bukalapak.com/bukapengadaan/ Method GET
  38. 38. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 38/420 Parameter Cache-Control Instances 7 Solution Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must- revalidate; and that the pragma HTTP header is set with no-cache. Reference https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web- content-caching CWE Id 525 WASC Id 13 Source ID 3 Low (Medium) Cookie Without SameSite Attribute Description A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks. URL https://s0.bukalapak.com/bukapengadaan/ Method GET Parameter _stepmother_session Evidence Set-Cookie: _stepmother_session URL https://s0.bukalapak.com/404?from=nav_header Method GET Parameter _mkra_ctxt Evidence Set-Cookie: _mkra_ctxt URL https://s0.bukalapak.com/404?from=nav_header Method GET Parameter lskjfewjrh34ghj23brjh234 Evidence Set-Cookie: lskjfewjrh34ghj23brjh234 URL https://s0.bukalapak.com/404 Method GET Parameter lskjfewjrh34ghj23brjh234 Evidence Set-Cookie: lskjfewjrh34ghj23brjh234 URL https://s0.bukalapak.com/404 Method GET Parameter _mkra_ctxt Evidence Set-Cookie: _mkra_ctxt URL https://s0.bukalapak.com/bl/pulsa?from=nav_header Method GET Parameter _stepmother_session Evidence Set-Cookie: _stepmother_session Instances 6 Solution Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies. Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site CWE Id 16 WASC Id 13
  39. 39. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 39/420 Source ID 3 Low (Medium) Absence of Anti-CSRF Tokens Description No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy. URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence <form enctype='multipart/form-data' method='post'> URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence <form> URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence <form method="post" action="'+r+'"> URL https://s0.bukalapak.com/bukapengadaan/ Method GET Evidence <form> URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence <form> URL https://s0.bukalapak.com/ast/vendor- bd9fb863fc6337f4c9e8e91d9832fad0d5611cca9a5c428ba6cbc7a743524383.js Method GET Evidence <form> Instances 6 Solution Phase: Architecture and Design
  40. 40. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 40/420 Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons. Other information No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 4: ]. Reference http://projects.webappsec.org/Cross-Site-Request-Forgery http://cwe.mitre.org/data/definitions/352.html CWE Id 352 WASC Id 9 Source ID 3 Low (Medium) Cross-Domain JavaScript Source File Inclusion Description The page includes one or more script files from a third-party domain. URL http://s0.bukalapak.com/users/login_menu Method GET Parameter https://s4.bukalapak.com/ast/alligator- 67ea465cf582f9f2ea9d73492b119999251ac50e0821692d6ab797416dc072ea.js Evidence <script src="https://s4.bukalapak.com/ast/alligator- 67ea465cf582f9f2ea9d73492b119999251ac50e0821692d6ab797416dc072ea.js"></script> URL http://s0.bukalapak.com/mobile-apps?from=nav_header Method GET Parameter https://www.googletagservices.com/tag/js/gpt.js Evidence <script async='' src='https://www.googletagservices.com/tag/js/gpt.js' type='text/javascript'></script> URL http://s0.bukalapak.com/*/admin_link$ Method GET
  41. 41. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 41/420 Parameter https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js Evidence <script src="https://s2.bukalapak.com/ast/siburung- a40773a6820fd3fbd4e41d5badefad442239c0c2cc701292986401ecde82c3b9.js"></script> URL http://s0.bukalapak.com/merk Method GET Parameter https://www.googletagservices.com/tag/js/gpt.js Evidence <script async='' src='https://www.googletagservices.com/tag/js/gpt.js' type='text/javascript'></script> URL http://s0.bukalapak.com/site_map/users-y Method GET Parameter https://s1.bukalapak.com/ast/sigil/assets/fragments-white-header-dweb-stylesheet- bb3a14bcffbb6826ea04.js Evidence <script src="https://s1.bukalapak.com/ast/sigil/assets/fragments-white-header-dweb-stylesheet- bb3a14bcffbb6826ea04.js" crossorigin defer></script> URL http://s0.bukalapak.com/site_map/users-t Method GET Parameter https://s2.bukalapak.com/marketplace/app-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" nomodule="" src="https://s2.bukalapak.com/marketplace/app- b03699ba842141ed27b0-m.js" defer=""></script> URL http://s0.bukalapak.com/site_map/users-m Method GET Parameter https://s2.bukalapak.com/marketplace/vnd-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" src="https://s2.bukalapak.com/marketplace/vnd- b03699ba842141ed27b0-m.js"></script> URL http://s0.bukalapak.com/site_map/users-n Method GET Parameter https://s2.bukalapak.com/marketplace/vnd-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" src="https://s2.bukalapak.com/marketplace/vnd- b03699ba842141ed27b0-m.js"></script> URL http://s0.bukalapak.com/c/perlengkapan-kantor Method GET Parameter https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js Evidence <script src='https://s2.bukalapak.com/javascripts/honeybadger-v0.5.min.js'></script> URL http://s0.bukalapak.com/c/perawatan-kecantikan Method GET Parameter https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js Evidence <script src="https://s3.bukalapak.com/ast/webpack/header_dweb-618fc214237381cb87a8.js"> </script> URL http://s0.bukalapak.com/payment/ Method GET Parameter https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js Evidence <script src="https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js" class="js-polyfills- script"></script>
  42. 42. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 42/420 URL http://s0.bukalapak.com/site_map/users-x Method GET Parameter https://s1.bukalapak.com/ast/sigil/assets/fragments-white-header-dweb-stylesheet- bb3a14bcffbb6826ea04.js Evidence <script src="https://s1.bukalapak.com/ast/sigil/assets/fragments-white-header-dweb-stylesheet- bb3a14bcffbb6826ea04.js" crossorigin defer></script> URL http://s0.bukalapak.com/site_map/users-s Method GET Parameter https://s2.bukalapak.com/marketplace/app-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" nomodule="" src="https://s2.bukalapak.com/marketplace/app- b03699ba842141ed27b0-m.js" defer=""></script> URL http://s0.bukalapak.com/components/products/related_deal/ Method GET Parameter https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js Evidence <script async src='https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js'></script> URL http://s0.bukalapak.com/site_map/users-0 Method GET Parameter https://s2.bukalapak.com/marketplace/summoner-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" src="https://s2.bukalapak.com/marketplace/summoner- b03699ba842141ed27b0-m.js"></script> URL http://s0.bukalapak.com/site_map/users-o Method GET Parameter https://s2.bukalapak.com/marketplace/vnd-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" src="https://s2.bukalapak.com/marketplace/vnd- b03699ba842141ed27b0-m.js"></script> URL http://s0.bukalapak.com/site_map/users-2 Method GET Parameter https://s2.bukalapak.com/marketplace/summoner-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" src="https://s2.bukalapak.com/marketplace/summoner- b03699ba842141ed27b0-m.js"></script> URL http://s0.bukalapak.com/account_settings/ Method GET Parameter https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js Evidence <script src="https://s4.bukalapak.com/ast/polyfills- b92e7dd7a44a91ed5d3c23b5e415a932458fde6e5a19b3ae128f4b59500edf13.js" class="js-polyfills- script"></script> URL http://s0.bukalapak.com/c/perawatan-kecantikan Method GET Parameter https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js Evidence <script src="https://s3.bukalapak.com/ast/application- d91eafd44b206fcf486b9c656237217fbf2b0c821210b85b65341fbdefd409e7.js" class="js-application- script"></script> URL http://s0.bukalapak.com/about
  43. 43. 12/8/22, 10:28 PM ZAP Scanning Report file:///G:/PENTEST BUKALAPAK/Report.html 43/420 Method GET Parameter https://s2.bukalapak.com/marketplace/app-b03699ba842141ed27b0-m.js Evidence <script crossorigin="anonymous" type="module" src="https://s2.bukalapak.com/marketplace/app- b03699ba842141ed27b0-m.js"></script> Instances 1220 Solution Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application. Reference CWE Id 829 WASC Id 15 Source ID 3 Low (Medium) Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Description The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. URL http://s0.bukalapak.com/*/one_click_form$ Method GET Evidence X-Powered-By: Phusion Pas