Closed astrajescu closed 4 years ago
SSL (https) protocol has no auto redirect to https for the moment -> http://microsimulation.pub/ to https://microsimulation.pub/ risk: medium issue ref: #76
XSS injection possible in form from partner site launched by the [Submit your research] button:
risk:High
tech details:
inject ->
<b onmouseover=alert('Wufff!')>click me!</b>
into any edit box
https://www.epress.ac.uk/ijm/webforms/author3.php
video evidence:
CWE-200 - risk: low tech details: server leaks technology stack info in response headers:
Server: nginx/1.15.5 X-Powered-By: PHP/7.0.29
issue ref: #76
vulnerability: Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
vulnerability: No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim.
Tool used: https://www.zaproxy.org/
Run tests related to OWASP Top-10 security risks, where applicable.