Summary Overall risk level: High Risk ratings: High: 1 Medium: 2 Low: 2 Info: 5 Findings Passwords are submitted unencrypted over the network Login form: http://demo.testfire.net/bank/login.aspx Details Insecure HTTP cookies Cookie Name Flags missing ASP.NET_SessionId Secure amSessionId Secure, HttpOnly Details Communication is not secure http://demo.testfire.net/bank/login.aspx admin , admin weak passwords Details Missing HTTP security headers HTTP Security Header Header Role Status X-Frame-Options Protects against Clickjacking attacks Not set X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set X-Content-Type-Options Prevents possible phishing or XSS attacks Not set Details Password auto-complete is enabled Details Risk description: When password auto-complete is enabled, the browser will remember the password entered into the login form, such that it will automatically fill it next time the user tries to login. However, if an attacker gains physical access to the victim's computer, he can retrieve the saved password from the browser's memory and use it to gain access to the victim's account in the application. Furthermore, if the application is also vulnerable to Cross-Site Scripting, the attacker could steal the saved password remotely. Recommendation: We recommend you to disable the password auto-complete feature on the login forms by setting the attribute autocomplete="off" on all password fields. More information about this issue: https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005). Server software and technology not found No vulnerabilities found for server-side software (missing version information) Robots.txt file not found No security issue found regarding client access policies Desktop Folders Paths: c:\website\bank\account.aspx c:\downloads\AltoroMutual_v6\website\App_Code\LineItemTable.cs This server's certificate is not trusted, see below for details. Certificate uses an insecure signature. Upgrade to SHA2 to avoid browser warnings. This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO ยป This server accepts RC4 cipher, but only with older protocols. Grade capped to B. This server does not support Forward Secrecy with the reference browsers. Grade capped to B. This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B. Mitigations: URL Validation Sessiion Validation Input Validation Certificate Maitainence Server and client Validation It takes very less time to write a script and destroy this site.