Factlink: Frameset Proxy Problem

I was testing out the proxy pages http://fct.li, http://staging.fct.li and I found that if I create an HTML page with a frameset not to be confused with iframe, then I would be able to get rid of the dialog top right corner that reads: "You're looking at this page through Factlink visit original...

Factlink: File name/folder enumeration.

Hello, an attacker may be able to map your server and find configuration file names by the following method: Valid attempt Not found: https://staging.factlink.com/%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd Invalid attempt 404...

Factlink: Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)

Issue: Strict Transport Security with too short max age. Description: Your site use a good "Strict Transport Security" but with short MAX AGE! Severity: See more information below. Proof of Concept by ssllabs.com 100% affidability: "Strict Transport Security HSTS Yes max-age=2592000 TOO SHORT les...

Factlink: Anonymous Proxy and IP leak

http://fct.li/?url=whatismyipaddress.com Hacker can surf internet via FACTLINK proxy server...

Factlink: Password reset link doesn't expire.

The password reset link sent by Factlink doesn't expire even after a long period of time. As Factlink account can be created 'without confirming' email id, so, this should be patched for the best practice...

Factlink: X/Csrf token problem

I found that you are using X/Csrf token as a protection against CSRF attacks. But you are using same X/Csrf token in and out. eg z3qrwilV8lz7CXsMhmvqxn+93GDZm/m9w/d5DZjoj8w= This token is same before and after log-in. This must be patch as it me result session hacks...

Factlink: Session not expired on logout

factlink is not expiring sessions immediately after logout 1. log on to https://staging.factlink.com/ 2. Open HTTP LIVE HEADERS and login in https://staging.factlink.com/ with your correct username and password 3. capture request for ex click on settings...