Beta

Automated Security Analyser for ASP.NET Websites


Scan of www.bestxxxgals.info — www.bestxxxgals.info - Watch and enjoy free porn pics.

You can schedule a regular scan of this URL so you can be automatically notified of any changes in the future.

Server: cloudflare | X-Powered-By: Unknown | X-AspNet-Version: Unknown | X-AspNetMvc-Version: Unknown | Web forms app: No | ASP.NET site: No | ASP.NET version: Unknown | 6 requests were made by ASafaWeb:
URL Page title Response size Duration
1. http://www.bestxxxgals.info/ www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 296 ms
2. http://www.bestxxxgals.info/trace.axd www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 287 ms
3. http://www.bestxxxgals.info/< www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 767 ms
4. http://www.bestxxxgals.info/foo/trace.axd www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 825 ms
5. http://www.bestxxxgals.info/ (POST 1,001 params) www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 197 ms
6. http://www.bestxxxgals.info/elmah.axd www.bestxxxgals.info - Watch and enjoy free porn pics. 32,713 bytes 772 ms
196,278 bytes 3,144 ms
Tracing: Pass Custom errors: Pass Stack trace: Pass Request validation: Not tested HTTP to HTTPS: Pass Hash dos patch: Not tested ELMAH log: Pass Excessive headers: Warning HTTP only cookies: Pass Secure cookies: Pass Clickjacking: Warning View state MAC: Not tested

Tracing: Pass

Requested URL: http://www.bestxxxgals.info/trace.axd | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 287 ms

Overview

Tracing enables you to view diagnostic information about requests for ASP.NET pages. When it's enabled in a production environment, it poses a disclosure risk by exposing information about the internal operation of the page.

Result

Tracing does not appear to be on as the request didn't return a page with a heading called "Application Trace".

More reading

ASP.NET Tracing Overview

Custom errors: Pass

Requested URL: http://www.bestxxxgals.info/foo/trace.axd | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 825 ms

Overview

Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result

Good news — custom errors appear to be configured correctly! The requested URL didn't return a heading titled "Server Error in" so chances are there's nothing more to configure with the custom errors.

More reading

customErrors Element (ASP.NET Settings Schema)

Stack trace: Pass

Requested URL: http://www.bestxxxgals.info/foo/trace.axd | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 825 ms

Overview

Stack traces are used during the development process to provide verbose information when a server error occurs. This information can be leveraged to exploit the application as it discloses potentially sensitive information about the internal implementation of the website. Custom errors should be used to keep this information from view.

Result

Good news — no stack trace was found! The requested URL didn't return an error page with "<b>Stack Trace:</b>" in it so chances are this is already configured correctly.

More reading

customErrors Element (ASP.NET Settings Schema)

Request validation: Not tested

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

In a web forms site, request validation ensures all requests to the website do not contain a potentially malicious payload. This protects against the likelihood of cross site scripting (XSS) vulnerabilities being exploited on the site.

Result

Because no View State could be found in the source of the site tested, it's assumed that it isn't a web forms app so the test hasn't been run.

More reading

HttpRequestValidationException Class | Request Validation, DotNetNuke and design utopia

HTTP to HTTPS redirect: Pass

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

When a website redirects the user from an HTTP address to an HTTPS one, there is a risk that an attacker could launch a man in the middle attack by intercepting the original HTTP request and returning a malicious response.

Result

The address you entered uses the HTTP scheme and the response was also in the HTTP scheme so this test has passed.

More reading

SSL Best Practices | OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection

Hash DoS patch: Not tested

Requested URL: http://www.bestxxxgals.info/ (POST 1,001 params) | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 197 ms

Overview

The hash table denial of service vulnerability (hash DoS) allows an attacker to make a POST request with a very large number of parameters constructed to cause hash collisions when parsed by ASP.NET. These collisions are very computationally expensive and could subsequently cause the CPU utilisation to spike thus disallowing it to process legitimate requests. Microsoft patched the risk in security update MS11-100 then resolved it permanently with the release of .NET 4.5.

Important: This scan is intended for ASP.NET websites. Results for sites of other technologies do not mean they are either vulnerable nor protected from the hash DoS exploit. Look at the request made by ASafaWeb, understand what the response means and draw your own conclusions as to the risk.

Result

It's difficult to ascertain whether security update MS11-100 has not been installed or not or if the site is running under .NET 4.5. A POST request with 1,001 form parameters named "0" through to "1000" is used to see if the site returns an error message hence indicating the patch has been installed. Unfortunately, for sites that are not web forms apps (such as MVC sites), this test only works if the Request.Form object is accessed.

In this case, the response from posting excessive form variables is the same as the response from a legitimate GET request which means either the patch is not installed or the page just simply isn't requesting any form variables. Try scanning a page that normally processes POST data and you should get a more conclusive result.

More reading

Has the hash DoS patch been installed on your site? Check it right now with ASafaWeb!

ELMAH log: Pass

Requested URL: http://www.bestxxxgals.info/elmah.axd | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 772 ms

Overview

ELMAH is used extensively by ASP.NET websites for error logging and handling. When improperly configured, ELMAH error logs can be easily viewed without any access controls thus exposing potentially sensitive information about the website.

Result

Good news — an ELMAH log was not returned by this scan as the requested URL did not contain a response with a heading titled "Error log for". Either ELMAH is not being used on the site or it has been properly secured and is not publicly accessible.

More reading

ASP.NET session hijacking with Google and ELMAH | Securing Elmah in ASP.NET website | Securing Error Log Pages

Excessive headers: Warning

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.

Result

The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

  1. Server: cloudflare

Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

More reading

Shhh… don’t let your response headers talk too loudly

HTTP only cookies: Pass

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.

Result

Good news — none of the requests made to the site returned a cookie not flagged as "HttpOnly".

More reading

C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

Secure cookies: Pass

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

Cookies served over HTTPS but not flagged as "secure" may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it's on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack.

Result

Good news — no requests resulted in an HTTPS response so no cookies could have benefited from being flagged as secure.

More reading

C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

Clickjacking: Warning

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result

It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

More reading

Clickjack attack – the hidden threat right in front of you

View state MAC: Not tested

Requested URL: http://www.bestxxxgals.info/ | Response URL: http://www.bestxxxgals.info/ | Page title: www.bestxxxgals.info - Watch and enjoy free porn pics. | HTTP status code: 200 (OK) | Response size: 32,713 bytes (gzip'd) | Duration: 296 ms

Overview

MAC (message authentication code) is used to ensure the integrity of view state by hashing the contents with a private key then validating the hash when the view state is posted back to the server. Disabling view state removes this validation process and may pose significant risks to the application's security profile if an attacker is able to manipulate the view state and post it back to the web site.

Result

The was no view state found in any of the responses returned by the server.

More reading

Understanding (and testing for) view state MAC in ASP.NET web forms

How'd it go? False positive found? Real vulnerabilities missed? Got suggestions for other scans? Let me know to help improve ASafaWeb for everyone. If you like, you can share this scan result using the following services:

Don't stop here — a good scan result doesn't mean you're safe. The scans performed by ASafaWeb should be treated as cursory only. They'll pick up some common configuration related vulnerabilities but there are many, many aspects of application security it won't (or even can't) review. So what next? Spend some time reading through the OWASP Top 10 for .NET Developers Series:

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards