[{"_id":{"$oid":"69dc979b90e4b2b558182912"},"url":"https://cp-club-vjti.vercel.app/","tool":"burp","results":{"metadata":{"issue_counts":{"Medium":{"Certain":0,"Firm":0,"Tentative":0,"Total":0},"Low":{"Certain":0,"Firm":0,"Tentative":0,"Total":0},"Information":{"Certain":40,"Firm":5,"Tentative":0,"Total":45},"False Positive":{"Certain":0,"Firm":0,"Tentative":0,"Total":0},"High":{}},"report_generated":"Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 13 07:12:57 UTC 2026.","scan_id":"3b39ab75"},"vulnerabilities":[{"title":"Cross-origin resource sharing","raw_title":"1. Cross-origin resource sharing","anchor_id":"1","reference_url":"https://portswigger.net/knowledgebase/issues/details/00200600_crossoriginresourcesharing","summary":{},"details":{"Issue background":"An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.\nIf another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.\n\nEven if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access.","Issue remediation":"Any inappropriate domains should be removed from the CORS policy.","References":[{"text":"Web Security Academy: Cross-origin resource sharing (CORS)","href":"https://portswigger.net/web-security/cors"},{"text":"Exploiting CORS Misconfigurations","href":"https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties"}],"Vulnerability classifications":[{"text":"CWE-942: Overly Permissive Cross-domain Whitelist","href":"https://cwe.mitre.org/data/definitions/942.html"}]},"evidence":[],"instances":[{"anchor_id":"1.1","url":"https://cp-club-vjti.vercel.app/","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.2","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/239-640162831b5f60b2.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/239-640162831b5f60b2.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.3","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/255-cb395327542b56ef.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/255-cb395327542b56ef.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.4","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/297-7295b248ad97a1e5.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/297-7295b248ad97a1e5.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.5","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/4bd1b696-c023c6e3521b1417.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/4bd1b696-c023c6e3521b1417.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.6","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/contest/page-91906ffe0716aba7.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/contest/page-91906ffe0716aba7.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.7","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/layout-6c71e4ff1d3693b7.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/layout-6c71e4ff1d3693b7.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.8","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/leaderboard/page-6d6537d797163bf4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/leaderboard/page-6d6537d797163bf4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.9","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/loading-1b6371ae7450f3d4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/loading-1b6371ae7450f3d4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.10","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/not-found-57eecc31ee8024d4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/not-found-57eecc31ee8024d4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.11","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/page-64c614d130f2f409.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/page-64c614d130f2f409.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.12","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/main-app-f9b5d20365cb8be2.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/main-app-f9b5d20365cb8be2.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.13","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/webpack-b393c8874716cdfc.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/webpack-b393c8874716cdfc.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.14","url":"https://cp-club-vjti.vercel.app/_next/static/css/c2fcaa0cfae2bda7.css","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/css/c2fcaa0cfae2bda7.css"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.15","url":"https://cp-club-vjti.vercel.app/_next/static/media/4473ecc91f70f139-s.p.woff","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/media/4473ecc91f70f139-s.p.woff"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.16","url":"https://cp-club-vjti.vercel.app/_next/static/media/463dafcda517f24f-s.p.woff","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/media/463dafcda517f24f-s.p.woff"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"1.17","url":"https://cp-club-vjti.vercel.app/robots.txt","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/robots.txt"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]}]},{"title":"Cross-origin resource sharing: arbitrary origin trusted","raw_title":"2. Cross-origin resource sharing: arbitrary origin trusted","anchor_id":"2","reference_url":"https://portswigger.net/knowledgebase/issues/details/00200601_crossoriginresourcesharingarbitraryorigintrusted","summary":{},"details":{"Issue background":"An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.\n\nTrusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.\n\nIf the site  specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to  bypass any IP-based access controls by proxying through users'  browsers.","Issue remediation":"Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.","References":[{"text":"Web Security Academy: Cross-origin resource sharing (CORS)","href":"https://portswigger.net/web-security/cors"},{"text":"Exploiting CORS Misconfigurations","href":"https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties"}],"Vulnerability classifications":[{"text":"CWE-942: Overly Permissive Cross-domain Whitelist","href":"https://cwe.mitre.org/data/definitions/942.html"}]},"evidence":[],"instances":[{"anchor_id":"2.1","url":"https://cp-club-vjti.vercel.app/","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://saskcdepyzmz.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.2","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/239-640162831b5f60b2.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/239-640162831b5f60b2.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://zesthausyupz.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.3","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/255-cb395327542b56ef.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/255-cb395327542b56ef.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://abarsyjhgwci.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.4","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/297-7295b248ad97a1e5.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/297-7295b248ad97a1e5.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://zifxxysdtcwb.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.5","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/4bd1b696-c023c6e3521b1417.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/4bd1b696-c023c6e3521b1417.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://qhqtuywlmbxm.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.6","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/contest/page-91906ffe0716aba7.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/contest/page-91906ffe0716aba7.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://qbajpaqgtvgv.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.7","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/layout-6c71e4ff1d3693b7.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/layout-6c71e4ff1d3693b7.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://vbwnilajawuc.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.8","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/leaderboard/page-6d6537d797163bf4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/leaderboard/page-6d6537d797163bf4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://ajhgbofrvrwa.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.9","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/loading-1b6371ae7450f3d4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/loading-1b6371ae7450f3d4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://gkhsgtmcosek.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.10","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/not-found-57eecc31ee8024d4.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/not-found-57eecc31ee8024d4.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://naasbfaduxon.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.11","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/app/page-64c614d130f2f409.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/app/page-64c614d130f2f409.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://qftddlbizvel.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.12","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/main-app-f9b5d20365cb8be2.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/main-app-f9b5d20365cb8be2.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://vzfmpoovbzbg.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.13","url":"https://cp-club-vjti.vercel.app/_next/static/chunks/webpack-b393c8874716cdfc.js","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/chunks/webpack-b393c8874716cdfc.js"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://btkmnkfzupxg.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.14","url":"https://cp-club-vjti.vercel.app/_next/static/css/c2fcaa0cfae2bda7.css","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/css/c2fcaa0cfae2bda7.css"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://idaspstumtes.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.15","url":"https://cp-club-vjti.vercel.app/_next/static/media/4473ecc91f70f139-s.p.woff","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/media/4473ecc91f70f139-s.p.woff"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://aaksxioschwu.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.16","url":"https://cp-club-vjti.vercel.app/_next/static/media/463dafcda517f24f-s.p.woff","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/_next/static/media/463dafcda517f24f-s.p.woff"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://zqkueuczgpim.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]},{"anchor_id":"2.17","url":"https://cp-club-vjti.vercel.app/robots.txt","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/robots.txt"},"details":{"Issue detail":"The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.\nThe application allowed access from the requested origin \nhttps://whaioohzlxtt.com\nIf the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.\nSince the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks."},"evidence":[]}]},{"title":"Frameable response (potential Clickjacking)","raw_title":"3. Frameable response (potential Clickjacking)","anchor_id":"3","reference_url":"https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking","summary":{},"details":{"Issue background":"If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.\n\nNote that some applications attempt to prevent these attacks from within the HTML page itself, using \"framebusting\" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.\n\nYou should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.","Issue remediation":"To effectively prevent framing attacks, the application should return a response header with the name \nX-Frame-Options\n and the value \nDENY\n to prevent framing altogether, or the value \nSAMEORIGIN\n to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.","References":[{"text":"Web Security Academy: Clickjacking","href":"https://portswigger.net/web-security/clickjacking"},{"text":"X-Frame-Options","href":"https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"}],"Vulnerability classifications":[{"text":"CWE-693: Protection Mechanism Failure","href":"https://cwe.mitre.org/data/definitions/693.html"},{"text":"CWE-1021: Improper Restriction of Rendered UI Layers or Frames","href":"https://cwe.mitre.org/data/definitions/1021.html"},{"text":"CAPEC-103: Clickjacking","href":"https://capec.mitre.org/data/definitions/103.html"}]},"evidence":[],"instances":[{"anchor_id":"3.1","url":"https://cp-club-vjti.vercel.app/","summary":{"Severity":"Information","Confidence":"Firm","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{"Issue detail":"This issue was found in multiple locations under the reported path."},"evidence":[{"index":"1","request":"GET / HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1825458\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:08 GMT\nEtag: W/\"1e58b8766fb3b0b3a0e0869d24997ee1\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::gk59t-1776063607818-81175c69b3e2\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."},{"index":"2","request":"GET /robots.txt HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close","response":"HTTP/2 404 Not Found\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 120699\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline; filename=\"404\"\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:08 GMT\nEtag: W/\"7605b463f89e845c17a2ee18da7c3d24\"\nLast-Modified: Sat, 11 Apr 2026 21:28:28 GMT\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nX-Matched-Path: /404\nX-Next-Error-Status: 404\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::gd5tz-1776063608312-c653e49a48ce\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."},{"index":"3","request":"GET /leaderboard HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/resources","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1615485\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"df34cc238b03f600a78687de5c1ca49e\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /leaderboard\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609495-51819dfe623c\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"3.2","url":"https://cp-club-vjti.vercel.app/contest","summary":{"Severity":"Information","Confidence":"Firm","Host":"https://cp-club-vjti.vercel.app","Path":"/contest"},"details":{},"evidence":[{"index":"1","request":"GET /contest HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1367403\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"a58b2a00b7eef4592a8f5af0cc781d0a\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /contest\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609590-057c1c584db7\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"3.3","url":"https://cp-club-vjti.vercel.app/leaderboard","summary":{"Severity":"Information","Confidence":"Firm","Host":"https://cp-club-vjti.vercel.app","Path":"/leaderboard"},"details":{},"evidence":[{"index":"1","request":"GET /leaderboard HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1615485\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"df34cc238b03f600a78687de5c1ca49e\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /leaderboard\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609495-51819dfe623c\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"3.4","url":"https://cp-club-vjti.vercel.app/resources","summary":{"Severity":"Information","Confidence":"Firm","Host":"https://cp-club-vjti.vercel.app","Path":"/resources"},"details":{},"evidence":[{"index":"1","request":"GET /resources HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1100835\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"36fa519b4fb9219d67d0748d0a4f271a\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /resources\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609658-616210025e8a\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"3.5","url":"https://cp-club-vjti.vercel.app/robots.txt","summary":{"Severity":"Information","Confidence":"Firm","Host":"https://cp-club-vjti.vercel.app","Path":"/robots.txt"},"details":{},"evidence":[{"index":"1","request":"GET /robots.txt HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close","response":"HTTP/2 404 Not Found\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 120699\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline; filename=\"404\"\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:08 GMT\nEtag: W/\"7605b463f89e845c17a2ee18da7c3d24\"\nLast-Modified: Sat, 11 Apr 2026 21:28:28 GMT\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nX-Matched-Path: /404\nX-Next-Error-Status: 404\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::gd5tz-1776063608312-c653e49a48ce\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]}]},{"title":"Cacheable HTTPS response","raw_title":"4. Cacheable HTTPS response","anchor_id":"4","reference_url":"https://portswigger.net/knowledgebase/issues/details/00700100_cacheablehttpsresponse","summary":{},"details":{"Issue description":"Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.","Issue remediation":{"text":"Applications should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:","items":["Cache-control: no-store","Pragma: no-cache"]},"References":[{"text":"Web Security Academy: Information disclosure","href":"https://portswigger.net/web-security/information-disclosure"}],"Vulnerability classifications":[{"text":"CWE-524: Information Exposure Through Caching","href":"https://cwe.mitre.org/data/definitions/524.html"},{"text":"CWE-525: Information Exposure Through Browser Caching","href":"https://cwe.mitre.org/data/definitions/525.html"},{"text":"CAPEC-37: Retrieve Embedded Sensitive Data","href":"https://capec.mitre.org/data/definitions/37.html"}]},"evidence":[],"instances":[{"anchor_id":"4.1","url":"https://cp-club-vjti.vercel.app/","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{},"evidence":[{"index":"1","request":"GET / HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1825458\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:08 GMT\nEtag: W/\"1e58b8766fb3b0b3a0e0869d24997ee1\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::gk59t-1776063607818-81175c69b3e2\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"4.2","url":"https://cp-club-vjti.vercel.app/contest","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/contest"},"details":{},"evidence":[{"index":"1","request":"GET /contest HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1367403\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"a58b2a00b7eef4592a8f5af0cc781d0a\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /contest\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609590-057c1c584db7\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"4.3","url":"https://cp-club-vjti.vercel.app/leaderboard","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/leaderboard"},"details":{},"evidence":[{"index":"1","request":"GET /leaderboard HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1615485\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"df34cc238b03f600a78687de5c1ca49e\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /leaderboard\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609495-51819dfe623c\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]},{"anchor_id":"4.4","url":"https://cp-club-vjti.vercel.app/resources","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/resources"},"details":{},"evidence":[{"index":"1","request":"GET /resources HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 200 OK\nServer: Vercel\nX-Vercel-Id: ZpBXebCKpQ5ldnSjWOMl32IT18EsIzet\nAccess-Control-Allow-Origin: *\nAge: 1100835\nCache-Control: public, max-age=0, must-revalidate\nContent-Disposition: inline\nContent-Type: text/html; charset=utf-8\nDate: Mon, 13 Apr 2026 07:00:09 GMT\nEtag: W/\"36fa519b4fb9219d67d0748d0a4f271a\"\nServer: Vercel\nStrict-Transport-Security: max-age=63072000; includeSubDomains; preload\nVary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch\nX-Matched-Path: /resources\nX-Nextjs-Prerender: 1\nX-Nextjs-Stale-Time: 300\nX-Vercel-Cache: HIT\nX-Vercel-Id: bom1::mpjwp-1776063609658-616210025e8a\n<!DOCTYPE html><!--Hx5ZYVFh7vc13yeZypeJf--><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"/><link rel=\"preload\" href=\"/_next/static/med\n...[SNIP]..."}]}]},{"title":"TLS certificate","raw_title":"5. TLS certificate","anchor_id":"5","reference_url":"https://portswigger.net/knowledgebase/issues/details/01000100_tlscertificate","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{"Issue detail":"The server presented a valid, trusted TLS certificate. This issue is purely informational.\nThe server presented the following certificates:\nServer certificate\nIssued to:\n  \n*.vercel.app, vercel.app\nIssued by:\n  \nWR1\nValid from:\n  \nThu Feb 26 06:28:03 UTC 2026\nValid to:\n  \nWed May 27 06:28:02 UTC 2026\nCertificate chain #1\nIssued to:\n  \nWR1\nIssued by:\n  \nGTS Root R1\nValid from:\n  \nWed Dec 13 09:00:00 UTC 2023\nValid to:\n  \nTue Feb 20 14:00:00 UTC 2029\nCertificate chain #2\nIssued to:\n  \nGTS Root R1\nIssued by:\n  \nGlobalSign Root CA\nValid from:\n  \nFri Jun 19 00:00:42 UTC 2020\nValid to:\n  \nFri Jan 28 00:00:42 UTC 2028\nCertificate chain #3\nIssued to:\n  \nGlobalSign Root CA\nIssued by:\n  \nGlobalSign Root CA\nValid from:\n  \nTue Sep 01 12:00:00 UTC 1998\nValid to:\n  \nFri Jan 28 12:00:00 UTC 2028","Issue background":"TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.\n\nIt should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.","References":[{"text":"SSL/TLS Configuration Guide","href":"https://wiki.mozilla.org/Security/Server_Side_TLS"}],"Vulnerability classifications":[{"text":"CWE-295: Improper Certificate Validation","href":"https://cwe.mitre.org/data/definitions/295.html"},{"text":"CWE-326: Inadequate Encryption Strength","href":"https://cwe.mitre.org/data/definitions/326.html"},{"text":"CWE-327: Use of a Broken or Risky Cryptographic Algorithm","href":"https://cwe.mitre.org/data/definitions/327.html"}]},"evidence":[],"instances":[]},{"title":"Hidden HTTP 2","raw_title":"6. Hidden HTTP 2","anchor_id":"6","reference_url":"https://portswigger.net/knowledgebase/issues/details/01000500_hiddenhttp2","summary":{"Severity":"Information","Confidence":"Certain","Host":"https://cp-club-vjti.vercel.app","Path":"/"},"details":{"Issue detail":"The server did not list \nh2\n in the ALPN field during the TLS handshake. However, when a HTTP/2 request was sent over the TLS connection, a HTTP/2 response was received. This indicates that the server does support HTTP/2, despite not advertising it.","Issue background":"Clients that support HTTP/2 typically default to HTTP/1.1, and only use HTTP/2 if the server advertises support for it via the ALPN field during the TLS handshake.\n\n    Some misconfigured servers that do support HTTP/2 fail to advertise this, making it appear as though they only support HTTP/1.1. This can lead to people overlooking viable HTTP/2 attack surface and missing associated vulnerabilities, such as HTTP/2 downgrade-based request smuggling.","Issue remediation":"If you want to use HTTP/2, make sure the server is configured to advertise it correctly. Otherwise, consider fully disabling it server-side to reduce unnecessary attack surface.","References":[{"text":"HTTP/2: The Sequel is Always Worse","href":"https://portswigger.net/research/http2"}],"Vulnerability classifications":[{"text":"CWE-912: Hidden Functionality","href":"https://cwe.mitre.org/data/definitions/912.html"}]},"evidence":[{"index":"1","request":"GET / HTTP/2\nHost: cp-club-vjti.vercel.app\nCache-Control: max-age=0\nSec-Ch-Ua: \"Google Chrome\";v=\"146\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"146\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Linux\"\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: close\nReferer: https://cp-club-vjti.vercel.app/","response":"HTTP/2 400 Bad Request\nContent-Type: text/plain; charset=utf-8\nX-Content-Type-Options: nosniff\nContent-Length: 51\nDate: Mon, 13 Apr 2026 07:05:08 GMT\nrequest header \"Connection\" is not valid in HTTP/2"}],"instances":[]}]},"timestamp":{"$date":"2026-04-13T07:13:31.740Z"}}]