Website Security Report
Back to summary report
Company: Example, Inc.
C
Average
Scan Date: October 05, 2017
Description: This is a special analysis of the company’s main website. The findings are collected from the SSL/TLS Strength, Patch Management, Application Security, Web Ranking and Brand Monitoring sub-categories.
This report category has 6% effect on total scan score.
Contents:
  • Summary of SSL/TLS Security
  • The Website Performance
  • Security Headers
  • Possible Vulnerabilities
  • Code Quality

example.com

The Website Security Summary
SSL/TLS Strength F
Performance 49%
Security Headers 30%
Patch Level 75%
Code Quality 73%
Screenshot



Summary of SSL/TLS Security

www.example.com [192.168.205.31] F
Compliant :     NIST     HIPAA     PCI_DSS
The server's Diffie-Hellman parameter is too small. Warning
The server supports cipher suites that are not approved by PCI DSS requirements, NIST guidelines and HIPAA guidance. Warning
Server supports HTTPS but it is configured to redirect to HTTP. This is a major security and privacy risk. Warning
Test results are over one-week-old, click "Refresh" to update the results. Info
The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange. Warning
The HTTP version of the website does not redirect to the HTTPS version. We advise to enable redirection. Warning
The server does not enforce HTTP Strict Transport Security. We advise to enable it to enforce the user to browse the website in HTTPS. Warning
The website includes HTTP content in HTTPS. Warning

The Website Performance

Desktop Speed Mobile Speed Mobile Usability
20% 29% 99%
Reduce server response time Reduce server response time Use legible font sizes
! Minify CSS ! Minify CSS Avoid plugins
Avoid landing page redirects Avoid landing page redirects ! Size tap targets appropriately
Optimize images ! Leverage browser caching Size content to viewport
Minify HTML ! Minify JavaScript Configure the viewport
Enable compression Optimize images
! Eliminate render-blocking JavaScript and CSS in above-the-fold content Minify HTML
Prioritize visible content Enable compression
! Leverage browser caching Eliminate render-blocking JavaScript and CSS in above-the-fold content
! Minify JavaScript Prioritize visible content



Security Headers

Security Header Status
Public-Key-Pins
HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
!
X-AspNet-Version
The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and should be disabled.
Content-Security-Policy
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
!
Pragma
The Pragma general-header field is used to include implementation- specific directives that might apply to any recipient along the request/response chain. All pragma directives specify optional behavior from the viewpoint of the protocol; however, some systems MAY require that behavior be consistent with the directives. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content: "Pragma: no-store"
!
Strict-Transport-Security
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubDomains"
!
Cache-control
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content: "Cache-control: no-store"
Content-Type
The Content-Type entity-header field indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET. An ideal example of the field is "Content-Type: text/html; charset=ISO-8859-4"
Server
The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.
!
Accept-Ranges
Unconstrained multiple range requests are susceptible to denial-of-service attacks because the effort required to request many overlapping ranges of the same data is tiny compared to the time, memory, and bandwidth consumed by attempting to serve the requested data in many parts.
!
X-XSS-Protection
X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block"
!
X-Content-Type-Options
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff"
!
X-Powered-By
The X-Powered-By header gives information on the technology that's supporting the Web Server. With typical values like ASP.NET or PHP/5.4.0, this is another piece of information that we can remove from public display.
X-Frame-Options
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN"
!



Possible Vulnerabilities

Cookie without HttpOnly flag set
Vulnerability TitleCWE-IDStatus
Cookie without HttpOnly flag setCWE-87Warning

Description:

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.

Mitigation:

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

Reference(s):


Application / Service URLVulnerability Details
  • http://www.example.com


Cookie ID: rd1530o00000000000000000000ffffac1f217bo80
Cookie Name: BIGipServer~Example~OR-prd-moss.pool
HTTPOnly: False
Path: /
Secure: False




Code Quality

The core reason to run your HTML documents through a conformance checker is simple: To catch unintended mistakes—mistakes you might have otherwise missed—so that you can fix them. Beyond that, some document-conformance requirements (validity rules) in the HTML spec are there to help you and the users of your documents avoid certain kinds of potential problems. This validator checks the markup validity of Web documents in HTML, XHTML, SMIL, MathML, etc.

  1. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 18, column 3; to line 18, column 166

    v/"> <link rel="apple-touch-icon-precomposed" sizes="57x57" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-57x57.png" /> <li

  2. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 19, column 3; to line 19, column 166

    png" /> <link rel="apple-touch-icon-precomposed" sizes="60x60" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-60x60.png" /> <li

  3. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 20, column 3; to line 20, column 166

    png" /> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-72x72.png" /> <li

  4. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 21, column 3; to line 21, column 170

    png" /> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-114x114.png" /> <li

  5. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 22, column 3; to line 22, column 170

    png" /> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-120x120.png" /> <li

  6. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 23, column 3; to line 23, column 170

    png" /> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-144x144.png" /> <li

  7. Error A link element with a sizes attribute must have a rel attribute that contains the value icon or the value apple-touch-icon.

    From line 24, column 3; to line 24, column 170

    png" /> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="https://apps.example.com/Application/CDN/Enterprise/images/icons/favicons/apple-touch-icon-152x152.png" /> <li

  8. Error Bad value /Style Library/css/agency.css for attribute href on element link: Illegal character in path segment: space is not allowed.

    From line 209, column 474; to line 209, column 551

    text/css"><link rel="stylesheet" type="text/css" href="/Style Library/css/agency.css" />

  9. Error The cellpadding attribute on the table element is obsolete. Use CSS instead.

    From line 706, column 4; to line 706, column 88

    </h2> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  10. Error The cellspacing attribute on the table element is obsolete. Use CSS instead.

    From line 706, column 4; to line 706, column 88

    </h2> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  11. Error The width attribute on the table element is obsolete. Use CSS instead.

    From line 706, column 4; to line 706, column 88

    </h2> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  12. Error The border attribute on the table element is obsolete. Use CSS instead.

    From line 706, column 4; to line 706, column 88

    </h2> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  13. Error The valign attribute on the td element is obsolete. Use CSS instead.

    From line 707, column 6; to line 708, column 19

    0%"> <tr> <td valign="top"><div W

  14. Error Attribute webpartid not allowed on element div at this point.

    From line 708, column 20; to line 708, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ1" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div i

  15. Error Attribute haspers not allowed on element div at this point.

    From line 708, column 20; to line 708, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ1" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div i

  16. Error Attribute width not allowed on element div at this point.

    From line 708, column 20; to line 708, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ1" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div i

  17. Error Attribute onlyformepart not allowed on element div at this point.

    From line 708, column 20; to line 708, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ1" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div i

  18. Error Attribute allowdelete not allowed on element div at this point.

    From line 708, column 20; to line 708, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ1" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div i

  19. Error Attribute xmlns:x not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  20. Warning Attribute with the local name xmlns:x is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  21. Error Attribute xmlns:d not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  22. Warning Attribute with the local name xmlns:d is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  23. Error Attribute xmlns:asp not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  24. Warning Attribute with the local name xmlns:asp is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  25. Error Attribute xmlns:__designer not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  26. Warning Attribute with the local name xmlns:__designer is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  27. Error Attribute xmlns:sharepoint not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  28. Warning Attribute with the local name xmlns:sharepoint is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  29. Error Attribute xmlns:ddwrt2 not allowed here.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  30. Warning Attribute with the local name xmlns:ddwrt2 is not serializable as XML 1.0.

    From line 708, column 186; to line 708, column 592

    style="" ><div id="portalCarousel" class="carousel slide" data-ride="carousel" data-interval="false" xmlns:x="designer" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><ol cl

  31. Error Bad value /Homepage Carousel/flag_halfstaff_photoonly.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 1319; to line 708, column 1480

    -wrapper"><img src="/Homepage Carousel/flag_halfstaff_photoonly.png" alt="Governor Kate Brown Orders Flags Lowered to Half-Staff in Honor of Victims in Las Vegas Shooting"></div>

  32. Error Bad value /Homepage Carousel/ODOE_top5rank.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 2012; to line 708, column 2124

    -wrapper"><img src="/Homepage Carousel/ODOE_top5rank.png" alt="Example Ranks Among Top 5 Most Energy Efficient U.S. States"></div>

  33. Error Bad value /Homepage Carousel/OYA_riverbend.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 2607; to line 708, column 2714

    -wrapper"><img src="/Homepage Carousel/OYA_riverbend.png" alt="Youth Fire Crew Learns Job Skills -- and Helps Others"></div>

  34. Error Bad value /Homepage Carousel/OCE_dianabunch.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 3157; to line 708, column 3242

    -wrapper"><img src="/Homepage Carousel/OCE_dianabunch.png" alt="The Power of a Personal Choice"></div>

  35. Error Bad value /Homepage Carousel/travel_example_kayaker.jpg for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 3829; to line 708, column 3924

    -wrapper"><img src="/Homepage Carousel/travel_example_kayaker.jpg" alt="Time to Plan Your Example Vacation"></div>

  36. Error Bad value /Homepage Carousel/ODOT_example_safest_driver.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 4392; to line 708, column 4489

    -wrapper"><img src="/Homepage Carousel/ODOT_example_safest_driver.png" alt="Are you Example's safest driver?"></div>

  37. Error Bad value /Homepage Carousel/egov_secure_browsers_photoonly.png for attribute src on element img: Illegal character in path segment: space is not allowed.

    From line 708, column 4825; to line 708, column 4940

    -wrapper"><img src="/Homepage Carousel/egov_secure_browsers_photoonly.png" alt="Secure browsers required for online payments"></div>

  38. Warning The region role is unnecessary for element section.

    From line 713, column 3; to line 713, column 147

    ction> <section id="payments" role="region" class="quicklink section-background portal-sidenav-section or-search-hide " aria-labelledby="paymentsLabel"> <a

  39. Warning The region role is unnecessary for element section.

    From line 798, column 3; to line 798, column 141

    ction> <section role="region" id="forms" class="quicklink section-background portal-sidenav-section or-search-hide " aria-labelledby="formsLabel"> <a

  40. Warning The region role is unnecessary for element section.

    From line 888, column 3; to line 888, column 147

    ction> <section role="region" id="licenses" class="quicklink section-background portal-sidenav-section or-search-hide " aria-labelledby="licensesLabel"> <a

  41. Warning The region role is unnecessary for element section.

    From line 973, column 3; to line 973, column 145

    ction> <section role="region" id="drivers" class="quicklink section-background portal-sidenav-section or-search-hide " aria-labelledby="driversLabel"> <a

  42. Error The cellpadding attribute on the table element is obsolete. Use CSS instead.

    From line 1061, column 4; to line 1061, column 88

    d!</p> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  43. Error The cellspacing attribute on the table element is obsolete. Use CSS instead.

    From line 1061, column 4; to line 1061, column 88

    d!</p> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  44. Error The width attribute on the table element is obsolete. Use CSS instead.

    From line 1061, column 4; to line 1061, column 88

    d!</p> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  45. Error The border attribute on the table element is obsolete. Use CSS instead.

    From line 1061, column 4; to line 1061, column 88

    d!</p> <table class="s4-wpTopTable" border="0" cellpadding="0" cellspacing="0" width="100%"> <tr>

  46. Error The valign attribute on the td element is obsolete. Use CSS instead.

    From line 1062, column 6; to line 1063, column 19

    0%"> <tr> <td valign="top"><div W

  47. Error Attribute webpartid not allowed on element div at this point.

    From line 1063, column 20; to line 1063, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ2" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div c

  48. Error Attribute haspers not allowed on element div at this point.

    From line 1063, column 20; to line 1063, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ2" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div c

  49. Error Attribute width not allowed on element div at this point.

    From line 1063, column 20; to line 1063, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ2" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div c

  50. Error Attribute onlyformepart not allowed on element div at this point.

    From line 1063, column 20; to line 1063, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ2" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div c

  51. Error Attribute allowdelete not allowed on element div at this point.

    From line 1063, column 20; to line 1063, column 185

    ign="top"><div WebPartID="00000000-0000-0000-0000-000000000000" HasPers="true" id="WebPartWPQ2" width="100%" class="noindex" OnlyForMePart="true" allowDelete="false" style="" ><div c

  52. Error Attribute xmlns:x not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  53. Warning Attribute with the local name xmlns:x is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  54. Error Attribute xmlns:d not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  55. Warning Attribute with the local name xmlns:d is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  56. Error Attribute xmlns:asp not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  57. Warning Attribute with the local name xmlns:asp is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  58. Error Attribute xmlns:__designer not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  59. Warning Attribute with the local name xmlns:__designer is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  60. Error Attribute xmlns:sharepoint not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  61. Warning Attribute with the local name xmlns:sharepoint is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  62. Error Attribute xmlns:ddwrt2 not allowed here.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  63. Warning Attribute with the local name xmlns:ddwrt2 is not serializable as XML 1.0.

    From line 1063, column 186; to line 1063, column 523

    style="" ><div class="myExample" xmlns:x="http://www.w3.org/2001/XMLSchema" xmlns:d="http://schemas.microsoft.cdesigner" xmlns:SharePoint="Microsoft.SharePoint.WebControls" xmlns:ddwrt2="urn:frontpage:internal"><div c

  64. Warning Element name ie:menuitem cannot be represented as XML 1.0.

    From line 1171, column 3; to line 1171, column 246

    enuUI"> <ie:menuitem id="MSOMenu_Help" iconsrc="/_layouts/images/HelpIcon.gif" onmenuclick="MSOWebPartPage_S('helpLink'), MenuWebPart.getAttribute('helpMode'))" text="Help" type="option" style="display:none"> </

  65. Error Element ie:menuitem not allowed as child of element menu in this context. (Suppressing further errors from this subtree.)

    From line 1171, column 3; to line 1171, column 246

    enuUI"> <ie:menuitem id="MSOMenu_Help" iconsrc="/_layouts/images/HelpIcon.gif" onmenuclick="MSOWebPartPage_S('helpLink'), MenuWebPart.getAttribute('helpMode'))" text="Help" type="option" style="display:none"> </

  66. Error Bad value /Style Library/js/agency.js for attribute src on element script: Illegal character in path segment: space is not allowed.

    From line 1262, column 134; to line 1262, column 175

    ;</script><script src="/Style Library/js/agency.js"></scri



example.org

The Website Security Summary
SSL/TLS Strength C
Performance 73%
Security Headers 30%
Patch Level 48%
Code Quality 90%
Screenshot



Summary of SSL/TLS Security

www.example.org [172.16.203.176] C+
Compliant :     NIST     HIPAA     PCI_DSS
The server supports protocols that have known weaknesses and are considered unsafe. Warning
The server supports cipher suites that are not approved by PCI DSS requirements, NIST guidelines and HIPAA guidance. Warning
The server is vulnerable to POODLE over SSL. Warning
The server does not prefer cipher suites providing strong Perfect Forward Secrecy (PFS). We advise to configure your server to prefer cipher suites with ECDHE or DHE key exchange. Warning
The HTTP version of the website redirects to the HTTPS version. Passed
The server does not enforce HTTP Strict Transport Security. We advise to enable it to enforce the user to browse the website in HTTPS. Warning

The Website Performance

Desktop Speed Mobile Speed Mobile Usability
79% 66% 74%
! Optimize images ! Leverage browser caching ! Size tap targets appropriately
! Leverage browser caching Prioritize visible content ! Configure the viewport
Avoid landing page redirects Enable compression ! Size content to viewport
Prioritize visible content Minify CSS Avoid plugins
Enable compression ! Optimize images ! Use legible font sizes
Minify CSS ! Minify JavaScript
! Minify JavaScript Avoid landing page redirects
! Eliminate render-blocking JavaScript and CSS in above-the-fold content Minify HTML
Reduce server response time Eliminate render-blocking JavaScript and CSS in above-the-fold content
Minify HTML Reduce server response time



Security Headers

Security Header Status
Pragma
The Pragma general-header field is used to include implementation- specific directives that might apply to any recipient along the request/response chain. All pragma directives specify optional behavior from the viewpoint of the protocol; however, some systems MAY require that behavior be consistent with the directives. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content: "Pragma: no-store"
!
Content-Type
The Content-Type entity-header field indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET. An ideal example of the field is "Content-Type: text/html; charset=ISO-8859-4"
Cache-control
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content: "Cache-control: no-store"
X-Frame-Options
X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN"
!
Public-Key-Pins
HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
!
X-Content-Type-Options
X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff"
!
X-AspNet-Version
The HTTP responses returned by this web application include anheader named X-AspNet-Version. The value of this header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and should be disabled.
Content-Security-Policy
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
!
X-XSS-Protection
X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block"
!
Server
The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.
!
Accept-Ranges
Unconstrained multiple range requests are susceptible to denial-of-service attacks because the effort required to request many overlapping ranges of the same data is tiny compared to the time, memory, and bandwidth consumed by attempting to serve the requested data in many parts.
!
Strict-Transport-Security
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubDomains"
!
X-Powered-By
The X-Powered-By header gives information on the technology that's supporting the Web Server. With typical values like ASP.NET or PHP/5.4.0, this is another piece of information that we can remove from public display.



Possible Vulnerabilities

Improper restriction of excessive authentication attempts or login form without bot detection
Vulnerability TitleCWE-IDStatus
Improper restriction of excessive authentication attempts or login form without bot detectionCWE-307Failed

Description:

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests. This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.

Mitigation:

Common protection mechanisms include: (1) Disconnecting the user after a small number of failed attempts (2) Implementing a timeout (3) Locking out a targeted account (4) Requiring a computational task on the user's part.

Reference(s):


Application / Service URLVulnerability Details
  • https://www.example.org


Form Action: /default.aspx
Form ID: htmlForm
 Input ID: __EVENTTARGET
 Input ID: __EVENTARGUMENT
 Input ID: holderMainBody_tbxEmail
 Input ID: holderMainBody_tbxPassword_password
 Input ID: holderMainBody_btnLogin
 Input ID: __VIEWSTATEGENERATOR
 Input ID: __EVENTVALIDATION
 Input ID: __VIEWSTATE

Password or sensitive form field with autocomplete attribute or information exposure through browser caching
Vulnerability TitleCWE-IDStatus
Password or sensitive form field with autocomplete attribute or information exposure through browser cachingCWE-525Warning

Description:

For each web page, the application should have an appropriate caching policy specifying the extent to which the page and its form fields should be cached. Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.

Mitigation:

(1) Protect information stored in cache. (2) Use a restrictive caching policy for forms and web pages that potentially contain sensitive information. (3) Do not store unnecessarily sensitive information in the cache. (4) Consider using encryption in the cache. (5) Disable autocomplete for sensitive form fields.

Reference(s):


Application / Service URLVulnerability Details
  • https://www.example.org


Form Action: /default.aspx
Form ID: htmlForm
Input ID: holderMainBody_tbxPassword_password

Sensitive Cookie in HTTPS Session Without secure Attribute
Vulnerability TitleCWE-IDStatus
Sensitive Cookie in HTTPS Session Without secure AttributeCWE-614Warning

Description:

This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.

Mitigation:

Always set the secure attribute when the cookie should sent via HTTPS only.

Reference(s):


Application / Service URLVulnerability Details
  • https://www.example.org


Cookie ID: tdtyk0a2fy0uuhay24opx3lo
Cookie Name: ASP.NET_SessionId
HTTPOnly: True
Path: /
Secure: False




Code Quality

The core reason to run your HTML documents through a conformance checker is simple: To catch unintended mistakes—mistakes you might have otherwise missed—so that you can fix them. Beyond that, some document-conformance requirements (validity rules) in the HTML spec are there to help you and the users of your documents avoid certain kinds of potential problems. This validator checks the markup validity of Web documents in HTML, XHTML, SMIL, MathML, etc.

  1. Error Almost standards mode doctype. Expected .

    From line 1, column 1; to line 3, column 121

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htm

  2. Error An img element must have an alt attribute, except under certain conditions. For details, consult guidance on providing text alternatives for images.

    From line 19, column 38; to line 19, column 108

    href="#"><img src="/images/ohsi-logo.jpg" width="362" height="128" border="0" /></a></

  3. Warning The border attribute is obsolete. Consider specifying img { border: 0; } in CSS instead.

    From line 19, column 38; to line 19, column 108

    href="#"><img src="/images/ohsi-logo.jpg" width="362" height="128" border="0" /></a></

  4. Error The width attribute on the table element is obsolete. Use CSS instead.

    From line 68, column 1; to line 68, column 63

    /><br /><table width="100%" border="0" cellspacing="0" cellpadding="6"> <

  5. Error The cellspacing attribute on the table element is obsolete. Use CSS instead.

    From line 68, column 1; to line 68, column 63

    /><br /><table width="100%" border="0" cellspacing="0" cellpadding="6"> <

  6. Error The cellpadding attribute on the table element is obsolete. Use CSS instead.

    From line 68, column 1; to line 68, column 63

    /><br /><table width="100%" border="0" cellspacing="0" cellpadding="6"> <

  7. Error The border attribute on the table element is obsolete. Use CSS instead.

    From line 68, column 1; to line 68, column 63

    /><br /><table width="100%" border="0" cellspacing="0" cellpadding="6"> <

  8. Error The align attribute on the td element is obsolete. Use CSS instead.

    From line 70, column 13; to line 71, column 43

    <tr> <td align="right" valign="top"><br />

  9. Error The valign attribute on the td element is obsolete. Use CSS instead.

    From line 70, column 13; to line 71, column 43

    <tr> <td align="right" valign="top"><br />

  10. Error The shape attribute on the a element is obsolete. Use area instead of a for image maps.

    From line 75, column 53; to line 75, column 103

    process. <a shape="rect" href="/customer/accountSetup.aspx"><img w

  11. Error Attribute complete not allowed on element img at this point.

    From line 75, column 104; to line 75, column 245

    tup.aspx"><img width="141" height="39" style="margin-top: -16px; position: absolute; " src="/images/btn-start-now.jpg" border="0" complete="complete" /></a></

  12. Error An img element must have an alt attribute, except under certain conditions. For details, consult guidance on providing text alternatives for images.

    From line 75, column 104; to line 75, column 245

    tup.aspx"><img width="141" height="39" style="margin-top: -16px; position: absolute; " src="/images/btn-start-now.jpg" border="0" complete="complete" /></a></

  13. Warning The border attribute is obsolete. Consider specifying img { border: 0; } in CSS instead.

    From line 75, column 104; to line 75, column 245

    tup.aspx"><img width="141" height="39" style="margin-top: -16px; position: absolute; " src="/images/btn-start-now.jpg" border="0" complete="complete" /></a></

  14. Error The cellpadding attribute on the table element is obsolete. Use CSS instead.

    From line 85, column 1; to line 85, column 78

    <table id="holderMainBody_dsnMain" border="0" cellpadding="0" cellspacing="0"><tr>

  15. Error The cellspacing attribute on the table element is obsolete. Use CSS instead.

    From line 85, column 1; to line 85, column 78

    <table id="holderMainBody_dsnMain" border="0" cellpadding="0" cellspacing="0"><tr>

  16. Error The border attribute on the table element is obsolete. Use CSS instead.

    From line 85, column 1; to line 85, column 78

    <table id="holderMainBody_dsnMain" border="0" cellpadding="0" cellspacing="0"><tr>

  17. Error The cellpadding attribute on the table element is obsolete. Use CSS instead.

    From line 88, column 9; to line 88, column 78

    > <table class="dataBoxBody" border="0" cellpadding="2" cellspacing="0">

  18. Error The cellspacing attribute on the table element is obsolete. Use CSS instead.

    From line 88, column 9; to line 88, column 78

    > <table class="dataBoxBody" border="0" cellpadding="2" cellspacing="0">

  19. Error The border attribute on the table element is obsolete. Use CSS instead.

    From line 88, column 9; to line 88, column 78

    > <table class="dataBoxBody" border="0" cellpadding="2" cellspacing="0">

  20. Error Attribute language not allowed on element input at this point.

    From line 106, column 90; to line 106, column 426

    RowValue"><input type="submit" name="_ctl0:holderMainBody:btnLogin" value="Login" onclick="javascript:WebForm_t;, false, false))" language="javascript" id="holderMainBody_btnLogin" class="formButton_small_1" />

  21. Error Table columns in range 2…3 established by element td have no cells beginning in them.

    From line 86, column 5; to line 87, column 40

    ="0"><tr> <td class="dataBoxBody" colspan="3">

  22. Error Duplicate attribute shape.

    At line 126, column 66

    rmsOfuse" shape="rect">Terms o

  23. Error The shape attribute on the a element is obsolete. Use area instead of a for image maps.

    From line 126, column 26; to line 126, column 73

    ="footer"><a shape="rect" href="/termsOfuse" shape="rect">Terms

  24. Error Duplicate attribute shape.

    At line 126, column 130

    /privacy" shape="rect">Privacy

  25. Error The shape attribute on the a element is obsolete. Use area instead of a for image maps.

    From line 126, column 93; to line 126, column 137

    Use</a> | <a shape="rect" href="/privacy" shape="rect">Privac



Scroll to top