This template searches for missing HTTP security headers. The impact of these missing headers can vary.
Request
GET / HTTP/1.1
Host: app-vulnerable2022-imb.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
Response
HTTP/1.1 200 OK
Connection: close
Content-Length: 1764
Content-Type: text/html; charset=utf-8
Date: Fri, 07 Oct 2022 02:49:11 GMT
Etag: W/"6e4-Dw3N6gNLvz/jW2d/o/Fi1VvyfVs"
Server: Cowboy
Set-Cookie: sid=s%3A0T9yGb_zzJMF4bYCRJt3LAcO-JX0C9WK.hipJHwO3lKYXw1VUFGKZmVyau%2FFx4SqwR7aVbERH2fk; Path=/; Expires=Sat, 08 Oct 2022 02:49:11 GMT
Via: 1.1 vegur
X-Powered-By: Express
<title>Vulnerable Web App</title>
<style>
@font-face{
font-family:'Lato-Lig';
src: url('/static/fonts/Lato-Lig.ttf') format('truetype');
font-weight:400;
font-style:normal
}
@font-face{
font-family:'Lato-Reg';
src: url('/static/fonts/Lato-Reg.ttf') format('truetype');
font-weight:400;
font-style:normal
}
body{
font-family: "Lato-Reg";
}
</style>
<style>
.main{
font-family: "Lato-Lig";
width: 500px;
position: fixed;
left: 50%;
top: 60px;
margin-left: -250px;
}
.header-container{
}
</style>
<div class="main">
<div class="header-container">
<h1>EkoParty Hackademy-Vulnerable Web App</h1>
<h3>Cada Link contiene vulnerabilidades intencionalmente. Juega con cada uno para tener una idea de cómo funcionan.</h3>
</div>
<br>
<ul>
<li><a href="/reflected_xss?foobar=Hello%20world!">Reflected XSS Example 1</a></li>
<li><a href="/reflected_xss_2?foo=bar">Reflected XSS Example 2</a></li>
<li><a href="/reflected_xss_3?foo=bar">Reflected XSS Example 3</a></li>
<li><a href="/stored_xss">Stored XSS Example</a></li>
<li><a href="/csrf">CSRF Example</a></li>
<li><a href="/fuzzing/fuzz.html">Fuzzing</a></li>
<li><a href="/auth_bypass">Authentication Bypass</a></li>
<li><a href="/views/directory_traversal.html">Directory Traversal</a></li>
<li><a href="/private_pages/123/document.html">Insecure Direct Object Reference (IDOR)</a></li>
<li><a href="/rce">Injections and remote code execution</a></li>
<li><a href="/general?foo=a">Mixed topics</a></li>
</ul>
</div>
Details: http-missing-security-headers:cross-origin-resource-policy matched at https://app-vulnerable2022-imb.herokuapp.com
Protocol: HTTP
Full URL: https://app-vulnerable2022-imb.herokuapp.com
Timestamp: Fri Oct 7 02:49:13 +0000 UTC 2022
Template Information
Request
Response
CURL Command
Generated by Nuclei 2.7.7