| Absence of Anti-CSRF Tokens |
|
| Application Error Disclosure |
|
| Authentication Credentials Captured |
|
| Big Redirect Detected (Potential Sensitive Information Leak) |
|
| Charset Mismatch |
|
| Content Security Policy (CSP) Header Not Set |
|
| Content Security Policy (CSP) Report-Only Header Found |
|
| Content-Type Header Empty |
|
| Content-Type Header Missing |
|
| Cookie No HttpOnly Flag |
|
| Cookie Poisoning |
|
| Cookie with Invalid SameSite Attribute |
|
| Cookie with SameSite Attribute None |
|
| Cookie without SameSite Attribute |
|
| Cookie Without Secure Flag |
|
| Cross-Domain JavaScript Source File Inclusion |
|
| Cross-Domain Misconfiguration |
|
| CSP: Failure to Define Directive with No Fallback |
|
| CSP: Header & Meta |
|
| CSP: Malformed Policy (Non-ASCII) |
|
| CSP: Meta Policy Invalid Directive |
|
| CSP: Notices |
|
| CSP: script-src unsafe-eval |
|
| CSP: script-src unsafe-hashes |
|
| CSP: script-src unsafe-inline |
|
| CSP: style-src unsafe-hashes |
|
| CSP: style-src unsafe-inline |
|
| CSP: Wildcard Directive |
|
| CSP: X-Content-Security-Policy |
|
| CSP: X-WebKit-CSP |
|
| Dangerous JS Functions |
|
| Deprecated Feature Policy Header Set |
|
| Directory Browsing |
|
| Emails Found in the Viewstate |
|
| Hash Disclosure - MD4 / MD5 |
|
| Heartbleed OpenSSL Vulnerability (Indicative) |
|
| HTTP Parameter Override |
|
| HTTP to HTTPS Insecure Transition in Form Post |
|
| HTTPS to HTTP Insecure Transition in Form Post |
|
| In Page Banner Information Leak |
|
| Information Disclosure - Debug Error Messages |
|
| Information Disclosure - Sensitive Information in HTTP Referrer Header |
|
| Information Disclosure - Sensitive Information in URL |
|
| Information Disclosure - Suspicious Comments |
|
| Insecure JSF ViewState |
|
| Insufficient Site Isolation Against Spectre Vulnerability |
|
| Insufficient Site Isolation Against Spectre Vulnerability |
|
| Insufficient Site Isolation Against Spectre Vulnerability |
|
| Java Serialization Object |
|
| Loosely Scoped Cookie |
|
| Missing Anti-clickjacking Header |
|
| Modern Web Application |
|
| Multiple HREFs Redirect Detected (Potential Sensitive Information Leak) |
|
| Multiple X-Frame-Options Header Entries |
|
| Non-Storable Content |
|
| Obsolete Content Security Policy (CSP) Header Found |
|
| Old Asp.Net Version in Use |
|
| Open Redirect |
|
| Permissions Policy Header Not Set |
|
| PII Disclosure |
|
| Potential IP Addresses Found in the Viewstate |
|
| Private IP Disclosure |
|
| Re-examine Cache-control Directives |
|
| Referer Exposes Session ID |
|
| Retrieved from Cache |
|
| Retrieved from Cache |
|
| Reverse Tabnabbing |
|
| Script Served From Malicious Domain (polyfill) |
|
| Script Served From Malicious Domain (polyfill) |
|
| Secure Pages Include Mixed Content |
|
| Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) |
|
| Server Leaks its Webserver Application via "Server" HTTP Response Header Field |
|
| Server Leaks Version Information via "Server" HTTP Response Header Field |
|
| Session ID in URL Rewrite |
|
| Session ID in URL Rewrite |
|
| Source Code Disclosure - PHP |
|
| Split Viewstate in Use |
|
| Storable and Cacheable Content |
|
| Storable but Non-Cacheable Content |
|
| Strict-Transport-Security Defined via META (Non-compliant with Spec) |
|
| Strict-Transport-Security Disabled |
|
| Strict-Transport-Security Header Not Set |
|
| Strict-Transport-Security Header on Plain HTTP Response |
|
| Strict-Transport-Security Malformed Content (Non-compliant with Spec) |
|
| Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) |
|
| Strict-Transport-Security Missing Max-Age (Non-compliant with Spec) |
|
| Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) |
|
| Sub Resource Integrity Attribute Missing |
|
| Timestamp Disclosure - Unix |
|
| User Controllable Charset |
|
| User Controllable HTML Element Attribute (Potential XSS) |
|
| User Controllable JavaScript Event (XSS) |
|
| Username Hash Found |
|
| Viewstate without MAC Signature (Sure) |
|
| Viewstate without MAC Signature (Unsure) |
|
| Vulnerable JS Library |
|
| Weak Authentication Method |
|
| WSDL File Detection |
|
| X-AspNet-Version Response Header |
|
| X-Backend-Server Header Information Leak |
|
| X-ChromeLogger-Data (XCOLD) Header Information Leak |
|
| X-Content-Type-Options Header Missing |
|
| X-Debug-Token Information Leak |
|
| X-Frame-Options Defined via META (Non-compliant with Spec) |
|
| X-Frame-Options Setting Malformed |
|