419 matches found
VOOKI - Web Application Vulnerability Scanner
Vooki is a free web application vulnerability scanner. Vooki is a user-friendly tool that you can easily scan any web application and find the vulnerabilities. Vooki includes Web Application Scanner, Rest API Scanner, and reporting section. Vooki – Web Application Scanner can help you to find the...
IBM Flashsystem / Storwize CSRF / Arbitrary File Read / Information Disclosure
Vulnerabilities in IBMs Flashsystems and Storwize Products ------------------------------------------------------------------------- Introduction ============ Vulnerabilities were identified in the IBM Flashsystem 840, IBM Flashsystem 900 and IBM Storwize V7000. These were discovered during a bla...
How to create rewrite policy for Security Headers
This article explains how to create rewrite policy for content security headers, XSS protection, HSTS, X-Content-Type-Options & Content-Security-Policy ADC appliances support HTTP strict transport security HSTS as an inbuilt option in SSL profiles and SSL virtual servers...
WPHunter - Wordpress Vulnerability Scanner
You can use this tool on your wordpress website to check the security of your website by finding the vulnerability in your website. Over 75 million websites run on WordPress. which is now powers 26% of the Web. Remarkably enough thousands of WP sites are vulnerable to attacks and get hacked each...
HTTP Security Headers Detection
All known security headers are being checked on the remote web server. On completion a report will hand back whether a specific security header has been implemented including its value and if it is deprecated or is missing on the target. SPDX-FileCopyrightText: 2017 Greenbone AG Some text...
http-security-headers NSE Script
Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value. The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The...
WordPress: Clickjacking In jobs.wordpress.net
A clickjacking issue was reported due to lack of security headers. It was not assessed as a security issue but a hardening fix was still deployed, without a bounty, as issues arising out of "Lack of HTTP security headers" are not applicable...
Nextcloud: Reflected XSS in error pages (NC-SA-2017-008)
Hello, I found a HTML injection vulnerability 1 flaw in the Nextcloud and Owncloud latest version. Through this vulnerability an attacker could manipulate the website. This vulnerability could affect to the logged users. An attacker could send a malicious link that contains the manipulated URL to...
http-cookie-flags NSE Script
Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root. See also: http-enum.nse...
Universal MITM Web Server: CopyCat
Universal MITM Web Server CopyCat is a Node.js based universal MITM web server. Used with DNS spoofing or another redirect attack, this server will act as a MITM for web traffic between the victim and a real server. Most often we see DNS spoofing used to redirect victims to an attackers server...
Open-Xchange: Web Browser XSS Protection Not Enabled
Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server http://www.dovecot.fi/s=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Csystem.ini&submit=Search...
yawast - The YAWAST Antecedent Web Application Security Toolkit
YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories: TLS/SSL - Versions and cipher suites supported; common issues. Information Disclosure - Checks for common information...
JGroups: Authorization bypass
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information...
Legal Robot: AWS S3 website can't serve security headers, may allow clickjacking
Security researcher discovered that our AWS S3 website was not serving some basic security headers like X-Frame-Options. We resolved the issue by putting nginx in front of our AWS S3 website and adding header directives. Fixed security headers can be verified here: https://schd.io/zt...
Deriv.com: Http Response Splitting - Validate link
So i found a http response splitting issue in your website. If we visit the following url: https://www.binary.com/user/validatelink?step=account&verifytoken=sometoken We will get a response header that says: Set-Cookie: verifytoken=sometoken; expires=Wed, 28 Oct 2015 23:31:35 GMT;...
Coinbase: OAuth authorization page vulnerable to clickjacking
Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...
Legal Robot: Missing security headers, possible clickjacking
Security researcher discovered missing headers, including x-frame-options and content-security-policy...
RAWR - Rapid Assessment of Web Resources
Features A customizable CSV containing ordered information gathered for each host, with a field for making notes/etc. An elegant, searchable, JQuery-driven HTML report that shows screenshots, diagrams, and other information. A report on relevent security headers, courtesy of SmeegeSec. a CSV Thre...
RAWR – Rapid Assessment of Web Resources
RAWR is designed to make the process of web enumeration easy and efficient by providing pertinent information in usable formats. It uses NMaplive or from file, Metasploit, Qualys, Nexpose, or Nessus scan data to target web services for enumeration, then visits each host on each port with an...