33小铺扫描附件

Affected Items
Report
Acunetix Security Audit
2021-10-26
Generated by Acunetix
1
Scan of www.33xp.cn
Scan details
Scan information
Start time 2021-10-26T12:53:48.818742+08:00
Start url https://www.33xp.cn/
Host www.33xp.cn
Scan time 18 minutes, 24 seconds
Profile Full Scan
Server information nginx
Responsive True
Server OS Unknown
Threat level
Acunetix Threat Level 1
One or more low-severity type vulnerabilities have been discovered by the scanner.
Alerts distribution
Total alerts found 8

High 0
Medium 0
Low 4
Informational 4
2
Affected items
Web Server
Alert group Clickjacking: X-Frame-Options header missing
Severity Low
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious
technique of tricking a Web user into clicking on something different from what the user
perceives they are clicking on, thus potentially revealing confidential information or taking
control of their computer while clicking on seemingly innocuous web pages.
Description
The server didn't return an X-Frame-Options header which means that this website could
be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used
to indicate whether or not a browser should be allowed to render a page inside a frame or
iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Configure your web server to include an X-Frame-Options header and a CSP header with
Recommendations frame-ancestors directive. Consult Web references for more information about the possible
values for this header.
Alert variants
Paths without XFO header:
Details https://www.33xp.cn/
GET / HTTP/1.1
Referer: https://www.33xp.cn/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

Gecko) Chrome/83.0.4103.61 Safari/537.36
Host: www.33xp.cn
Connection: Keep-alive
Web Server
Alert group Cookies with missing, inconsistent or contradictory properties (verified)
Severity Low
At least one of the following cookies properties causes the cookie to be invalid or
incompatible with either a different property of the same cookie, of with the environment the
Description
cookie is being used in. Although this is not a vulnerability in itself, it will likely lead to
unexpected behavior by the application, which in turn may cause secondary security issues.
Recommendations Ensure that the cookies configuration complies with the applicable standards.
Alert variants
3
List of cookies with missing, inconsistent or contradictory properties:
https://www.33xp.cn/
Cookie was set with:
Set-Cookie: XSRF-TOKEN=eyJpdiI6IlFCS1VsOHpXeUt4aGNhclU4MTJOR3c9PS
This cookie has the following issues:
- Cookie without SameSite attribute.

When cookies lack the SameSite attribute, Web browsers may apply
Details
Cookie was set with:
Set-Cookie: _session=eyJpdiI6IndrdGRJcnIwQ2NxVVRPS0VrcllLdVE9PSIs
This cookie has the following issues:
- Cookie without SameSite attribute.

When cookies lack the SameSite attribute, Web browsers may apply
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group Cookies without HttpOnly flag set (verified)
Severity Low
One or more cookies don't have the HttpOnly flag set. When a cookie is set with the
Description HttpOnly flag, it instructs the browser that the cookie can only be accessed by the server
and not by client-side scripts. This is an important security protection for session cookies.
Recommendations If possible, you should set the HttpOnly flag for these cookies.
Alert variants
4
Cookies without HttpOnly flag set:
Details
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group Cookies without Secure flag set (verified)
Severity Low
One or more cookies does not have the Secure flag set. When a cookie is set with the
Description Secure flag, it instructs the browser that the cookie can only be accessed over secure
SSL/TLS channels. This is an important security protection for session cookies.
Recommendations If possible, you should set the Secure flag for these cookies.
Alert variants
Cookies without Secure flag set:
Details
Set-Cookie: _session=eyJpdiI6IndrdGRJcnIwQ2NxVVRPS0VrcllLdVE9PSIs
5
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group Content Security Policy (CSP) not implemented
Severity Informational
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy

header. The value of this header is a string containing the policy directives describing your
Content Security Policy. To implement CSP, you should define lists of allowed origins for the
all of the types of resources that your site utilizes. For example, if you have a simple site that
needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery
library from their CDN, the CSP header could look like the following:
Description
Content-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com;
It was detected that your web application doesn't implement Content Security Policy (CSP)
as the CSP header is missing from the response. It's recommended to implement Content
Security Policy (CSP) into your web application.
It's recommended to implement Content Security Policy (CSP) into your web application.
Configuring Content Security Policy involves adding the Content-Security-Policy HTTP
Recommendations
header to a web page and giving it values to control resources the user agent is allowed to
load for that page.
Alert variants
Paths without CSP header:
6
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group HTTP Strict Transport Security (HSTS) Best Practices
HTTP Strict Transport Security (HSTS) tells a browser that a web site is only accessable
Description using HTTPS. It was detected that your web application doesn't implement best practices of
HTTP Strict Transport Security (HSTS).
It's recommended to implement best practices of HTTP Strict Transport Security (HSTS) into
Recommendations
your web application. Consult web references for more information
Alert variants
URLs where HSTS configuration is not according to best practices:
https://www.33xp.cn/: ; No includeSubDomains directive

Details
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group Insecure Referrer Policy
7
Referrer Policy controls behaviour of the Referer header, which indicates the origin or web
Description page URL the request was made from. The web application uses insecure Referrer Policy
configuration that may leak user's information to third-party sites.
Recommendations Consider setting Referrer-Policy header to 'strict-origin-when-cross-origin' or a stricter value
Alert variants
URLs where Referrer Policy configuration is insecure:
GET / HTTP/1.1

Host: www.33xp.cn
Web Server
Alert group TLS 1.1 enabled
The web server supports encryption through TLS 1.1. When aiming for Payment Card
Industry (PCI) Data Security Standard (DSS) compliance, it is recommended (although at
the time or writing not required) to use TLS 1.2 or higher instead. According to PCI, "30 June
Description
2018 is the deadline for disabling SSL/early TLS and implementing a more secure
encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet
the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
Recommendations It is recommended to disable TLS 1.1 and replace it with TLS 1.2 or higher.
Alert variants
The SSL server (port: 443) encrypts traffic using TLSv1.1.
Details
8
Scanned items (coverage report)
https://www.33xp.cn/assets/
https://www.33xp.cn/assets/hyper/
https://www.33xp.cn/assets/hyper/css/
https://www.33xp.cn/assets/hyper/css/app-creative.min.css
https://www.33xp.cn/assets/hyper/css/hyper-loading.css
https://www.33xp.cn/assets/hyper/css/icons.min.css
https://www.33xp.cn/assets/hyper/css/vendor/
https://www.33xp.cn/assets/hyper/css/vendor/jquery-jvectormap-1.2.2.css
https://www.33xp.cn/assets/hyper/js/
https://www.33xp.cn/assets/hyper/js/app.min.js
https://www.33xp.cn/assets/hyper/js/vendor.min.js
https://www.33xp.cn/assets/style/
https://www.33xp.cn/assets/style/js/
https://www.33xp.cn/assets/style/js/jquery-3.4.1.min.js
https://www.33xp.cn/buy/
https://www.33xp.cn/buy/1
https://www.33xp.cn/order-search
https://www.33xp.cn/robots.txt
https://www.33xp.cn/uploads/
https://www.33xp.cn/uploads/images/

33小铺扫描附件

Uploaded by

Copyright:

Available Formats

33小铺扫描附件

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

33小铺扫描附件

Uploaded by

Copyright:

Available Formats

Affected Items

Acunetix Threat Level 1

Total alerts found 8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

Cookie was set with:

This cookie has the following issues:

- Cookie without SameSite attribute.

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy

script-src 'self' https://code.jquery.com;

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

https://www.33xp.cn/: ; No includeSubDomains directive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

You might also like