Remediation Report for Server Administrator

 Scan Name: Webscantest-includeAPIs-reactjs
 Date: 8/24/2016 11:24:23 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 416 / 416
 Target URL: http://webscantest.com
 Reports:

Summary


Vulnerability Type

Root Causes

Variances

Directory Indexing  3   3 
Predictable Resource Location  2   2 
Server Type Disclosure  2   2 
Total:  7   7 

By Risk

Variances: 7

Details


Collapse Directory Indexing

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/css/ Root Cause #184:  Validate Expand
URL: http://webscantest.com/images/ Root Cause #185:  Validate Expand
URL: http://webscantest.com/myfiles/ Root Cause #186:  Validate Expand

Description:  

A full list of a directory's content can be viewed. This reveals each file and subdirectory, regardless of whether or not it is related to the web application. A directory listing may also reveal backup files, include files, or configuration files that are not normally viewable by users. When these types of files can be found, they often disclose sensitive information about the application.


Recommendations:  

Refer to your web server's documentation for instructions on prohibiting directory listings.


Collapse Predictable Resource Location

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/robots.txt Root Cause #206:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/robots.txt Root Cause #207:  Validate Expand

Description:  

A robots.txt file is present in the directory. The robots.txt file provides a list of directories that crawling engines are requested to ignore. There is no way to force the crawling engine to honor the robots.txt file. Depending on the content of the file, it may reveal administrator interfaces or alternate URLs that are supposed to be hidden from users.


Recommendations:  

  1. Ensure that the robots.txt file does not divulge directories that are intended to be hidden from users.
  2. The security of sensitive directories should not rely on hiding their presence. Restrict access to sensitive directories (e.g. admin) by password and IP address or network location.
  3. Amend your deployment policy to include the removal of sensitive directories from robots.txt files.


Collapse Server Type Disclosure

some text
  Collapse Site: http://webscantest.com:80
URL: http://webscantest.com/ Root Cause #228:  Validate Expand
some text
  Collapse Site: http://www.webscantest.com:80
URL: http://www.webscantest.com/ Root Cause #229:  Validate Expand

Description:  

Default configurations of web servers often provide too much information about their platform and version in HTTP headers and on error pages. This data is not itself dangerous, but it can help an attacker focus on vulnerabilities associated with your specific web server platform/version.


Recommendations:  

Configure your web server to avoid having it announce its own details. For example in Apache you would want these two configuration directives in your config file:

  • ServerSignature Off
  • ServerTokens Prod