Wapiti vulnerability report

Target: https://dev.a1mc.ru/

Date of the scan: Thu, 25 Sep 2025 11:49:23 +0000. Scope of the scan: folder. Crawled pages: 413

Summary

Category Number of vulnerabilities found
Backup file 0
Cleartext Submission of Password 0
Weak credentials 0
CRLF Injection 0
Content Security Policy Configuration 1
Cross Site Request Forgery 0
Potentially dangerous file 0
Command execution 0
Path Traversal 0
Fingerprint web application framework 0
Fingerprint web server 0
Htaccess Bypass 0
HTML Injection 0
Clickjacking Protection 1
HTTP Strict Transport Security (HSTS) 1
MIME Type Confusion 1
HttpOnly Flag cookie 1
Unencrypted Channels 0
Inconsistent Redirection 0
Information Disclosure - Full Path 0
LDAP Injection 0
Log4Shell 0
Open Redirect 0
Reflected Cross Site Scripting 0
Secure Flag cookie 1
Spring4Shell 0
SQL Injection 0
TLS/SSL misconfigurations 0
Server Side Request Forgery 0
Stored HTML Injection 0
Stored Cross Site Scripting 0
Subdomain takeover 0
Blind SQL Injection 0
Unrestricted File Upload 0
Vulnerable software 0
Internal Server Error 0
Resource consumption 0
Review Webserver Metafiles for Information Leakage 0
Fingerprint web technology 0
HTTP Methods 0
TLS/SSL misconfigurations 0

Content Security Policy Configuration

Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

🟡 Vulnerability found in /

CSP is not set for URL: https://dev.a1mc.ru/
Solutions
Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page.
References

Clickjacking Protection

Description
Clickjacking is a technique that tricks a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

🟡 Vulnerability found in /

X-Frame-Options is not set
Solutions
Implement X-Frame-Options or Content Security Policy (CSP) frame-ancestors directive.
References

HTTP Strict Transport Security (HSTS)

Description
HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

🟡 Vulnerability found in /

Strict-Transport-Security is not set
Solutions
Implement the HTTP Strict Transport Security header to enforce secure connections to the server.
References

MIME Type Confusion

Description
MIME type confusion can occur when a browser interprets files as a different type than intended, which could lead to security vulnerabilities like cross-site scripting (XSS).

🟡 Vulnerability found in /konohamod/

X-Content-Type-Options is not set
Solutions
Implement X-Content-Type-Options to prevent MIME type sniffing.
References

HttpOnly Flag cookie

Description
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

🟡 Vulnerability found in /photo/

HttpOnly flag is not set on the cookie 'PHPSESSID' set at 'https://dev.a1mc.ru/photo/'
Solutions
While creation of the cookie, make sure to set the HttpOnly Flag to True.
References

Secure Flag cookie

Description
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

🟡 Vulnerability found in /photo/

Secure flag is not set on the cookie: 'PHPSESSID' set at 'https://dev.a1mc.ru/photo/'
Solutions
When generating the cookie, make sure to set the Secure Flag to True.
References