| _id | created_at | url | tool | result |
|---|---|---|---|---|
69e39f91839bb0c85106a36d
|
Sat Apr 18 2026 15:13:21 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"status": "Burp scan triggered"
}
|
|
69e3a2d31180b6d9471953c2
|
Sat Apr 18 2026 15:27:15 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Low": {
"Certain": 5,
"Firm": 0,
"Tentative": 0,
"Total": 5
},
"Information": {
"Certain": 1,
"Firm": 2,
"Tentative": 0,
"Total": 3
},
"High": {},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 13 10:16:44 UTC 2026.",
"scan_id": "11adf2ac"
},
"vulnerabilities": [
{
"title": "Strict transport security not enforced",
"raw_title": "1. Strict transport security not enforced",
"anchor_id": "1",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced",
"summary": {},
"details": {
"Issue background": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. \n\nTo exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.",
"Issue remediation": "The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.\n\nNote that because HSTS is a \"trust on first use\" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.",
"References": [
{
"text": "HTTP Strict Transport Security",
"href": "https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security"
},
{
"text": "sslstrip",
"href": "https://github.com/moxie0/sslstrip"
},
{
"text": "HSTS Preload Form",
"href": "https://hstspreload.appspot.com/"
}
],
"Vulnerability classifications": [
{
"text": "CWE-523: Unprotected Transport of Credentials",
"href": "https://cwe.mitre.org/data/definitions/523.html"
},
{
"text": "CAPEC-94: Man in the Middle Attack",
"href": "https://capec.mitre.org/data/definitions/94.html"
},
{
"text": "CAPEC-157: Sniffing Attacks",
"href": "https://capec.mitre.org/data/definitions/157.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "1.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "This issue was found in multiple locations under the reported path."
},
"evidence": []
},
{
"anchor_id": "1.2",
"url": "https://cerebralzip.com/@vite/client",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/@vite/client"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.3",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.4",
"url": "https://cerebralzip.com/src/main.tsx",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/src/main.tsx"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.5",
"url": "https://cerebralzip.com/vite.svg",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/vite.svg"
},
"details": {},
"evidence": []
}
]
},
{
"title": "Frameable response (potential Clickjacking)",
"raw_title": "2. Frameable response (potential Clickjacking)",
"anchor_id": "2",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking",
"summary": {},
"details": {
"Issue description": "If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.\n\nNote that some applications attempt to prevent these attacks from within the HTML page itself, using \"framebusting\" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.\n\nYou should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.",
"Issue remediation": "To effectively prevent framing attacks, the application should return a response header with the name \nX-Frame-Options\n and the value \nDENY\n to prevent framing altogether, or the value \nSAMEORIGIN\n to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.",
"References": [
{
"text": "Web Security Academy: Clickjacking",
"href": "https://portswigger.net/web-security/clickjacking"
},
{
"text": "X-Frame-Options",
"href": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"
}
],
"Vulnerability classifications": [
{
"text": "CWE-693: Protection Mechanism Failure",
"href": "https://cwe.mitre.org/data/definitions/693.html"
},
{
"text": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"href": "https://cwe.mitre.org/data/definitions/1021.html"
},
{
"text": "CAPEC-103: Clickjacking",
"href": "https://capec.mitre.org/data/definitions/103.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "2.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "2.2",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
}
]
},
{
"title": "TLS certificate",
"raw_title": "3. TLS certificate",
"anchor_id": "3",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000100_tlscertificate",
"summary": {
"Severity": "Information",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "The server presented a valid, trusted TLS certificate. This issue is purely informational.\nThe server presented the following certificates:\nServer certificate\nIssued to:\n \ncerebralzip.com, www.cerebralzip.com\nIssued by:\n \nR13\nValid from:\n \nTue Jan 20 02:09:34 UTC 2026\nValid to:\n \nMon Apr 20 02:09:33 UTC 2026\nCertificate chain #1\nIssued to:\n \nR13\nIssued by:\n \nISRG Root X1\nValid from:\n \nWed Mar 13 00:00:00 UTC 2024\nValid to:\n \nFri Mar 12 23:59:59 UTC 2027\nCertificate chain #2\nIssued to:\n \nISRG Root X1\nIssued by:\n \nISRG Root X1\nValid from:\n \nThu Jun 04 11:04:38 UTC 2015\nValid to:\n \nMon Jun 04 11:04:38 UTC 2035",
"Issue background": "TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.\n\nIt should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.",
"References": [
{
"text": "SSL/TLS Configuration Guide",
"href": "https://wiki.mozilla.org/Security/Server_Side_TLS"
}
],
"Vulnerability classifications": [
{
"text": "CWE-295: Improper Certificate Validation",
"href": "https://cwe.mitre.org/data/definitions/295.html"
},
{
"text": "CWE-326: Inadequate Encryption Strength",
"href": "https://cwe.mitre.org/data/definitions/326.html"
},
{
"text": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"href": "https://cwe.mitre.org/data/definitions/327.html"
}
]
},
"evidence": [],
"instances": []
}
]
}
|
|
69e3a434196ff0132e364be3
|
Sat Apr 18 2026 15:33:08 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Low": {
"Certain": 5,
"Firm": 0,
"Tentative": 0,
"Total": 5
},
"Information": {
"Certain": 1,
"Firm": 2,
"Tentative": 0,
"Total": 3
},
"High": {},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 13 10:16:44 UTC 2026.",
"scan_id": "11adf2ac"
},
"vulnerabilities": [
{
"title": "Strict transport security not enforced",
"raw_title": "1. Strict transport security not enforced",
"anchor_id": "1",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced",
"summary": {},
"details": {
"Issue background": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. \n\nTo exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.",
"Issue remediation": "The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.\n\nNote that because HSTS is a \"trust on first use\" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.",
"References": [
{
"text": "HTTP Strict Transport Security",
"href": "https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security"
},
{
"text": "sslstrip",
"href": "https://github.com/moxie0/sslstrip"
},
{
"text": "HSTS Preload Form",
"href": "https://hstspreload.appspot.com/"
}
],
"Vulnerability classifications": [
{
"text": "CWE-523: Unprotected Transport of Credentials",
"href": "https://cwe.mitre.org/data/definitions/523.html"
},
{
"text": "CAPEC-94: Man in the Middle Attack",
"href": "https://capec.mitre.org/data/definitions/94.html"
},
{
"text": "CAPEC-157: Sniffing Attacks",
"href": "https://capec.mitre.org/data/definitions/157.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "1.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "This issue was found in multiple locations under the reported path."
},
"evidence": []
},
{
"anchor_id": "1.2",
"url": "https://cerebralzip.com/@vite/client",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/@vite/client"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.3",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.4",
"url": "https://cerebralzip.com/src/main.tsx",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/src/main.tsx"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.5",
"url": "https://cerebralzip.com/vite.svg",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/vite.svg"
},
"details": {},
"evidence": []
}
]
},
{
"title": "Frameable response (potential Clickjacking)",
"raw_title": "2. Frameable response (potential Clickjacking)",
"anchor_id": "2",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking",
"summary": {},
"details": {
"Issue description": "If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.\n\nNote that some applications attempt to prevent these attacks from within the HTML page itself, using \"framebusting\" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.\n\nYou should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.",
"Issue remediation": "To effectively prevent framing attacks, the application should return a response header with the name \nX-Frame-Options\n and the value \nDENY\n to prevent framing altogether, or the value \nSAMEORIGIN\n to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.",
"References": [
{
"text": "Web Security Academy: Clickjacking",
"href": "https://portswigger.net/web-security/clickjacking"
},
{
"text": "X-Frame-Options",
"href": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"
}
],
"Vulnerability classifications": [
{
"text": "CWE-693: Protection Mechanism Failure",
"href": "https://cwe.mitre.org/data/definitions/693.html"
},
{
"text": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"href": "https://cwe.mitre.org/data/definitions/1021.html"
},
{
"text": "CAPEC-103: Clickjacking",
"href": "https://capec.mitre.org/data/definitions/103.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "2.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "2.2",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
}
]
},
{
"title": "TLS certificate",
"raw_title": "3. TLS certificate",
"anchor_id": "3",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000100_tlscertificate",
"summary": {
"Severity": "Information",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "The server presented a valid, trusted TLS certificate. This issue is purely informational.\nThe server presented the following certificates:\nServer certificate\nIssued to:\n \ncerebralzip.com, www.cerebralzip.com\nIssued by:\n \nR13\nValid from:\n \nTue Jan 20 02:09:34 UTC 2026\nValid to:\n \nMon Apr 20 02:09:33 UTC 2026\nCertificate chain #1\nIssued to:\n \nR13\nIssued by:\n \nISRG Root X1\nValid from:\n \nWed Mar 13 00:00:00 UTC 2024\nValid to:\n \nFri Mar 12 23:59:59 UTC 2027\nCertificate chain #2\nIssued to:\n \nISRG Root X1\nIssued by:\n \nISRG Root X1\nValid from:\n \nThu Jun 04 11:04:38 UTC 2015\nValid to:\n \nMon Jun 04 11:04:38 UTC 2035",
"Issue background": "TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.\n\nIt should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.",
"References": [
{
"text": "SSL/TLS Configuration Guide",
"href": "https://wiki.mozilla.org/Security/Server_Side_TLS"
}
],
"Vulnerability classifications": [
{
"text": "CWE-295: Improper Certificate Validation",
"href": "https://cwe.mitre.org/data/definitions/295.html"
},
{
"text": "CWE-326: Inadequate Encryption Strength",
"href": "https://cwe.mitre.org/data/definitions/326.html"
},
{
"text": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"href": "https://cwe.mitre.org/data/definitions/327.html"
}
]
},
"evidence": [],
"instances": []
}
]
}
|
|
69e3a9e425dcc48fa583557e
|
Sat Apr 18 2026 15:57:24 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Low": {
"Certain": 5,
"Firm": 0,
"Tentative": 0,
"Total": 5
},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"Information": {
"Certain": 1,
"Firm": 2,
"Tentative": 0,
"Total": 3
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Sat Apr 18 21:26:51 IST 2026.",
"scan_id": ""
},
"vulnerabilities": [
{
"title": "Strict transport security not enforced",
"raw_title": "1. Strict transport security not enforced",
"anchor_id": "1",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced",
"summary": {},
"details": {
"Issue description": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. \n\nTo exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.",
"Issue remediation": "The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.\n\nNote that because HSTS is a \"trust on first use\" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.",
"References": [
{
"text": "HTTP Strict Transport Security",
"href": "https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security"
},
{
"text": "sslstrip",
"href": "https://github.com/moxie0/sslstrip"
},
{
"text": "HSTS Preload Form",
"href": "https://hstspreload.appspot.com/"
}
],
"Vulnerability classifications": [
{
"text": "CWE-523: Unprotected Transport of Credentials",
"href": "https://cwe.mitre.org/data/definitions/523.html"
},
{
"text": "CAPEC-94: Man in the Middle Attack",
"href": "https://capec.mitre.org/data/definitions/94.html"
},
{
"text": "CAPEC-157: Sniffing Attacks",
"href": "https://capec.mitre.org/data/definitions/157.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "1.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.2",
"url": "https://cerebralzip.com/@vite/client",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/@vite/client"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.3",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.4",
"url": "https://cerebralzip.com/src/main.tsx",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/src/main.tsx"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.5",
"url": "https://cerebralzip.com/vite.svg",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/vite.svg"
},
"details": {},
"evidence": []
}
]
},
{
"title": "Frameable response (potential Clickjacking)",
"raw_title": "2. Frameable response (potential Clickjacking)",
"anchor_id": "2",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking",
"summary": {},
"details": {
"Issue description": "If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.\n\nNote that some applications attempt to prevent these attacks from within the HTML page itself, using \"framebusting\" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.\n\nYou should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.",
"Issue remediation": "To effectively prevent framing attacks, the application should return a response header with the name \nX-Frame-Options\n and the value \nDENY\n to prevent framing altogether, or the value \nSAMEORIGIN\n to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.",
"References": [
{
"text": "Web Security Academy: Clickjacking",
"href": "https://portswigger.net/web-security/clickjacking"
},
{
"text": "X-Frame-Options",
"href": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"
}
],
"Vulnerability classifications": [
{
"text": "CWE-693: Protection Mechanism Failure",
"href": "https://cwe.mitre.org/data/definitions/693.html"
},
{
"text": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"href": "https://cwe.mitre.org/data/definitions/1021.html"
},
{
"text": "CAPEC-103: Clickjacking",
"href": "https://capec.mitre.org/data/definitions/103.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "2.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "2.2",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
}
]
},
{
"title": "TLS certificate",
"raw_title": "3. TLS certificate",
"anchor_id": "3",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000100_tlscertificate",
"summary": {
"Severity": "Information",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "The server presented a valid, trusted TLS certificate. This issue is purely informational.\nThe server presented the following certificates:\nServer certificate\nIssued to:\n \ncerebralzip.com, www.cerebralzip.com\nIssued by:\n \nR13\nValid from:\n \nTue Jan 20 07:39:34 IST 2026\nValid to:\n \nMon Apr 20 07:39:33 IST 2026\nCertificate chain #1\nIssued to:\n \nR13\nIssued by:\n \nISRG Root X1\nValid from:\n \nWed Mar 13 05:30:00 IST 2024\nValid to:\n \nSat Mar 13 05:29:59 IST 2027\nCertificate chain #2\nIssued to:\n \nISRG Root X1\nIssued by:\n \nISRG Root X1\nValid from:\n \nThu Jun 04 16:34:38 IST 2015\nValid to:\n \nMon Jun 04 16:34:38 IST 2035",
"Issue background": "TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.\n\nIt should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.",
"References": [
{
"text": "SSL/TLS Configuration Guide",
"href": "https://wiki.mozilla.org/Security/Server_Side_TLS"
}
],
"Vulnerability classifications": [
{
"text": "CWE-295: Improper Certificate Validation",
"href": "https://cwe.mitre.org/data/definitions/295.html"
},
{
"text": "CWE-326: Inadequate Encryption Strength",
"href": "https://cwe.mitre.org/data/definitions/326.html"
},
{
"text": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"href": "https://cwe.mitre.org/data/definitions/327.html"
}
]
},
"evidence": [],
"instances": []
}
]
}
|
|
69e3a9ff85b293b8636ebf5f
|
Sat Apr 18 2026 15:57:51 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Low": {
"Certain": 5,
"Firm": 0,
"Tentative": 0,
"Total": 5
},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"Information": {
"Certain": 1,
"Firm": 2,
"Tentative": 0,
"Total": 3
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Sat Apr 18 21:26:51 IST 2026.",
"scan_id": ""
},
"vulnerabilities": [
{
"title": "Strict transport security not enforced",
"raw_title": "1. Strict transport security not enforced",
"anchor_id": "1",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced",
"summary": {},
"details": {
"Issue description": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. \n\nTo exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.",
"Issue remediation": "The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.\n\nNote that because HSTS is a \"trust on first use\" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.",
"References": [
{
"text": "HTTP Strict Transport Security",
"href": "https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security"
},
{
"text": "sslstrip",
"href": "https://github.com/moxie0/sslstrip"
},
{
"text": "HSTS Preload Form",
"href": "https://hstspreload.appspot.com/"
}
],
"Vulnerability classifications": [
{
"text": "CWE-523: Unprotected Transport of Credentials",
"href": "https://cwe.mitre.org/data/definitions/523.html"
},
{
"text": "CAPEC-94: Man in the Middle Attack",
"href": "https://capec.mitre.org/data/definitions/94.html"
},
{
"text": "CAPEC-157: Sniffing Attacks",
"href": "https://capec.mitre.org/data/definitions/157.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "1.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.2",
"url": "https://cerebralzip.com/@vite/client",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/@vite/client"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.3",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.4",
"url": "https://cerebralzip.com/src/main.tsx",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/src/main.tsx"
},
"details": {},
"evidence": []
},
{
"anchor_id": "1.5",
"url": "https://cerebralzip.com/vite.svg",
"summary": {
"Severity": "Low",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/vite.svg"
},
"details": {},
"evidence": []
}
]
},
{
"title": "Frameable response (potential Clickjacking)",
"raw_title": "2. Frameable response (potential Clickjacking)",
"anchor_id": "2",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking",
"summary": {},
"details": {
"Issue description": "If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.\n\nNote that some applications attempt to prevent these attacks from within the HTML page itself, using \"framebusting\" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.\n\nYou should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.",
"Issue remediation": "To effectively prevent framing attacks, the application should return a response header with the name \nX-Frame-Options\n and the value \nDENY\n to prevent framing altogether, or the value \nSAMEORIGIN\n to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.",
"References": [
{
"text": "Web Security Academy: Clickjacking",
"href": "https://portswigger.net/web-security/clickjacking"
},
{
"text": "X-Frame-Options",
"href": "https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options"
}
],
"Vulnerability classifications": [
{
"text": "CWE-693: Protection Mechanism Failure",
"href": "https://cwe.mitre.org/data/definitions/693.html"
},
{
"text": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"href": "https://cwe.mitre.org/data/definitions/1021.html"
},
{
"text": "CAPEC-103: Clickjacking",
"href": "https://capec.mitre.org/data/definitions/103.html"
}
]
},
"evidence": [],
"instances": [
{
"anchor_id": "2.1",
"url": "https://cerebralzip.com/",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {},
"evidence": []
},
{
"anchor_id": "2.2",
"url": "https://cerebralzip.com/robots.txt",
"summary": {
"Severity": "Information",
"Confidence": "Firm",
"Host": "https://cerebralzip.com",
"Path": "/robots.txt"
},
"details": {},
"evidence": []
}
]
},
{
"title": "TLS certificate",
"raw_title": "3. TLS certificate",
"anchor_id": "3",
"reference_url": "https://portswigger.net/knowledgebase/issues/details/01000100_tlscertificate",
"summary": {
"Severity": "Information",
"Confidence": "Certain",
"Host": "https://cerebralzip.com",
"Path": "/"
},
"details": {
"Issue detail": "The server presented a valid, trusted TLS certificate. This issue is purely informational.\nThe server presented the following certificates:\nServer certificate\nIssued to:\n \ncerebralzip.com, www.cerebralzip.com\nIssued by:\n \nR13\nValid from:\n \nTue Jan 20 07:39:34 IST 2026\nValid to:\n \nMon Apr 20 07:39:33 IST 2026\nCertificate chain #1\nIssued to:\n \nR13\nIssued by:\n \nISRG Root X1\nValid from:\n \nWed Mar 13 05:30:00 IST 2024\nValid to:\n \nSat Mar 13 05:29:59 IST 2027\nCertificate chain #2\nIssued to:\n \nISRG Root X1\nIssued by:\n \nISRG Root X1\nValid from:\n \nThu Jun 04 16:34:38 IST 2015\nValid to:\n \nMon Jun 04 16:34:38 IST 2035",
"Issue background": "TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an TLS certificate that is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, TLS connections to the server will not provide the full protection for which TLS is designed.\n\nIt should be noted that various attacks exist against TLS in general, and in the context of HTTPS web connections in particular. It may be possible for a determined and suitably-positioned attacker to compromise TLS connections without user detection even when a valid TLS certificate is used.",
"References": [
{
"text": "SSL/TLS Configuration Guide",
"href": "https://wiki.mozilla.org/Security/Server_Side_TLS"
}
],
"Vulnerability classifications": [
{
"text": "CWE-295: Improper Certificate Validation",
"href": "https://cwe.mitre.org/data/definitions/295.html"
},
{
"text": "CWE-326: Inadequate Encryption Strength",
"href": "https://cwe.mitre.org/data/definitions/326.html"
},
{
"text": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"href": "https://cwe.mitre.org/data/definitions/327.html"
}
]
},
"evidence": [],
"instances": []
}
]
}
|
|
69e3d816b202964eaea13bf0
|
Sat Apr 18 2026 19:14:30 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
*** LARGE PROPERTY ***
~501 KB Preview:{"metadata":{"issue_count Click to fetch this property |
|
69e5d79fc590dcf0cd4a9cad
|
Mon Apr 20 2026 07:37:03 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Low": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"Information": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 20 13:06:33 IST 2026.",
"scan_id": ""
},
"vulnerabilities": []
}
|
|
69e5d7a3cf1cab7fb9db3eef
|
Mon Apr 20 2026 07:37:07 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"Low": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Information": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 20 13:06:33 IST 2026.",
"scan_id": ""
},
"vulnerabilities": []
}
|
|
69e5d7a56850f0ee2901983e
|
Mon Apr 20 2026 07:37:09 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Low": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Information": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 20 13:06:33 IST 2026.",
"scan_id": ""
},
"vulnerabilities": []
}
|
|
69e5e21b393dd55878e52991
|
Mon Apr 20 2026 08:21:47 GMT+0000 (Coordinated Universal Time)
|
fetch_report
|
{
"metadata": {
"issue_counts": {
"Medium": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Low": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"Information": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
},
"High": {},
"False Positive": {
"Certain": 0,
"Firm": 0,
"Tentative": 0,
"Total": 0
}
},
"report_generated": "Report generated by Burp Suiteweb vulnerability scannerv2026.3.2, at Mon Apr 20 13:06:33 IST 2026.",
"scan_id": ""
},
"vulnerabilities": []
}
|
| Documents | 37 |
| Total doc size | 72.63 MB |
| Average doc size | 1.96 MB |
| Pre-allocated size | 25.35 MB |
| Indexes | 1 |
| Total index size | 36 KB |
| Padding factor | |
| Extents |
| Name | Columns | Size | Attributes | Actions |
|---|---|---|---|---|
| _id_ |
_id ASC
|
36 KB | DEL |