Security Assessment Report
GG Advanced IT Security  ·  ggsec.de
SAST 32.9s DAST 16.8s 18 requests 2 confirmed vulns 3 likely 7 SAST targets GGSec Cortex v0.9 Beta
F
Security
Rating

Executive Summary

GGSec Cortex identified 2 confirmed and 3 likely vulnerabilities in oob_demo_src. Every confirmed finding is evidence-backed — proven by a live proof-of-concept or a baseline-difference control (a forged/malicious request is accepted while a matched control is rejected), so false positives are minimised. Likely findings are confirmed marker-leak / parser-differential signals without a full request-hijack proof — they warrant manual verification, not an emergency response. Immediate remediation is recommended.
💰
Business Impact
Full server compromise (remote code execution)
🧰
Exploitation Complexity
Low — reachable by a remote attacker
🎯
Likelihood
High — confirmed findings have a live proof-of-concept
Overall Risk
Critical · max CVSS 9.8

Assessment Scope

📄
Target
oob_demo_src
🌐
Base URL
http://172.26.203.184
🔗
Endpoints tested
3
📤
Total requests
18
HTTP methods
GET, POST
🛡
Vulnerability classes
6
🔑
Authentication
Unauthenticated
📡
OOB collaborator
Enabled (blind detection)
🔎
SAST duration
32.9s
DAST duration
16.8s
📅
Scan completed
2026-07-08 17:10

Scan Timeline

17:09:49
Scan started
17:10:22
SAST analysis completed (32.9s, 7 target(s))
17:10:22
DAST probing started
17:10:22
GGC-SSRF-11B confirmed — SSRF url
17:10:30
GGC-POI-918 confirmed — PHP_OBJECT_INJECTION prefs
17:10:39
DAST probing completed (16.8s, 18 requests)
17:10:39
Report generated

Overview

2
Confirmed Vulns
3
Likely (review)
💀
3
Critical SAST
🔥
4
High SAST
💻
0
RCE
🗃
0
SQLi
0
XSS
🌐
1
SSRF
📄
0
XXE
🎭
0
CSRF
📡
0
JSONP
🔓
0
Auth Bypass
📤
18
Total Requests
Confirmed vulns by sink type DAST
PHP_OBJECT_INJECTION: 1 SSRF: 1 2 total
PHP_OBJECT_INJECTION1
SSRF1
SAST impact distribution SAST
FILE_READ
2
RCE
2
AUTH_BYPASS
1
INFORMATION_DISCLOSURE
1
DOS
1
DAST hit rate by sink DAST
SQL_QUERY
10/10
OUTDATED_COMPONENT
2/2
PHP_OBJECT_INJECTION
1/2
SSRF
1/2
XXE
0/2

Risk Matrix

Likelihood ▼ / Impact ▶NegligibleMinorModerateMajorSevere
Almost certain
Likely11
Possible
Unlikely
Rare

Remediation Plan

IDFindingCVSSPrioritySLA
GGC-POI-918 🤖 PHP_OBJECT_INJECTION prefs 9.8 P0 Fix immediately
GGC-SSRF-11B 🌐 SSRF url 7.7 P1 Within 7 days

Compliance Coverage

Each finding mapped to OWASP Top 10 2021, PCI-DSS v4.0, ISO/IEC 27001:2022 and GDPR. References are indicative for audit scoping, not a certification statement.

OWASP Top 10 (2021)# FindingsPCI-DSS v4.0ISO/IEC 27001:2022GDPR
A06:2021 – Vulnerable and Outdated Components 2 PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt) ISO/IEC 27001:2022 A.8.8 GDPR Art. 32 (security of processing)
A03:2021 – Injection 1 PCI-DSS v4.0 Req 6.2.4 (injection/XSS) ISO/IEC 27001:2022 A.8.28 GDPR Art. 32 (security of processing)
A05:2021 – Security Misconfiguration 1 PCI-DSS v4.0 Req 2.2.1 / 6.2.4 ISO/IEC 27001:2022 A.8.9 / A.8.28 GDPR Art. 32 (security of processing)
A10:2021 – Server-Side Request Forgery (SSRF) 1 PCI-DSS v4.0 Req 6.2.4 ISO/IEC 27001:2022 A.8.28 GDPR Art. 32 (security of processing)
A08:2021 – Software and Data Integrity Failures 1 PCI-DSS v4.0 Req 6.2.4 / 6.4.3 ISO/IEC 27001:2022 A.8.28 / A.8.29 GDPR Art. 32 (security of processing)
A01:2021 – Broken Access Control 1 PCI-DSS v4.0 Req 6.2.4 / 7.2.1 ISO/IEC 27001:2022 A.8.3 / A.5.15 GDPR Art. 5(1)(f) + Art. 32 (confidentiality)

SAST — Attack Surface

SAST confidence = static taint-flow certainty (source→sink), not runtime proof. "Confirmed" is reserved for DAST findings the engine actually exploited.

#ParameterSinkRiskCVSSStatic confidenceExploit.ImpactLocation
1 id 🗃 SQL_QUERY Critical 9.8 CRITICAL Taint-flow Direct AUTH_BYPASS oob_test.php
2 xml 📄 XXE High 7.5 HIGH Taint-flow Direct FILE_READ oob_test.php
3 url 🌐 SSRF High 8.6 HIGH Taint-flow Direct INFORMATION_DISCLOSURE oob_test.php
4 prefs 🤖 PHP_OBJECT_INJECTION Critical 9.8 CRITICAL Taint-flow Direct RCE poi_oob_test.php
5 url 🔍 PATH_TRAVERSAL High 7.5 HIGH Potential Low FILE_READ oob_test.php:21
6 apache 2.4.58 · CVE-2024-38475 🔍 OUTDATED_COMPONENT Critical 9.8 CRITICAL Taint-flow Direct RCE HTTP Server / X-Powered-By banner
7 apache 2.4.58 · CVE-2024-38476 🔍 OUTDATED_COMPONENT High 7.5 HIGH Taint-flow Direct DOS HTTP Server / X-Powered-By banner

Endpoint Summary

EndpointRequestsFindingsRisk
oob_test.php 10 🗃 SQL_QUERY CRITICAL
2 🔍 OUTDATED_COMPONENT CRITICAL
http://172.26.203.184/poi_oob_test.php 2 🤖 PHP_OBJECT_INJECTION CRITICAL
http://172.26.203.184/oob_test.php 4 🌐 SSRF HIGH

DAST — Vulnerability Details

🗃 GGC-SQLI-3F1 8.9 HIGH P1 Likely SQL_QUERY id oob_test.php 10/10 hits
Flow
$_GET['id'] is interpolated directly into a SQL query string "SELECT * FROM users WHERE id = $id" and executed via mysqli_query(). The result is never echoed, making this a fully blind SQLi. Time-based detection (SLEEP) is the appropriate method.
Attack Chain
Attacker supplies a crafted 'id' parameter → value is concatenated into SQL → blind execution via mysqli_query(). Time-based payloads confirm the injection.
Impact
AUTH_BYPASS — Direct
CWE / CVSS
CWE-89 SQL Injection  ·  CVSS 8.9 High (Base 9.8 Critical)
SQL is built from untrusted input, letting an attacker alter the query to read/modify data or bypass authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R
ⓘ Base 9,8 → Effective 8,9 — probable (E:P/RC:R).
Compliance Impact
A03:2021 – Injection
PCI-DSS v4.0 Req 6.2.4 (injection/XSS)  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Likely  ·  🔓 Unauthenticated
Evidence strength
30%Tentative evidenceEvidence score 30/100
  • +18 Likely (weak signal only)
  • +6 Inferred from timing / HTTP 500 (no direct echo)
  • +6 Reproduced by 10 payload(s)
Proof of Concept
Reproduce:
curl -i 'oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20-'
Evidence (live response):
Proof: response took 0.0s while a non-vulnerable request returns in well under 1s — the server executed the injected delay (blind time-based injection; no data is echoed). Response body: (empty)
Remediation
Use parameterized queries / prepared statements — never build queries by string concatenation.
  • Replace interpolated SQL with bound parameters (PDO/mysqli prepared statements, '?'/named placeholders).
  • For NoSQL, cast user input to the expected scalar type and reject array/operator inputs ((string)$x, type checks).
  • Apply least-privilege DB credentials; the web user should not own DDL or admin rights.
  • Add allowlist validation for structural elements that cannot be parameterized (column/table names, ORDER BY).
Refs: CWE-89 · OWASP: SQL Injection Prevention Cheat Sheet · CWE-943 (NoSQL)
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET oob_test.php?id=1%20AND%20SLEEP%285%29--%20-
1 AND SLEEP(5)-- -
500 5ms http-500-likely-sql-error (time-payload)
⚠ VULN GET oob_test.php?id=1%20OR%20SLEEP%285%29--%20-
1 OR SLEEP(5)-- -
500 4ms http-500-likely-sql-error (time-payload)
⚠ VULN GET oob_test.php?id=1%29%20AND%20SLEEP%285%29--%20-
1) AND SLEEP(5)-- -
500 5ms http-500-likely-sql-error (time-payload)
⚠ VULN GET oob_test.php?id=1%20AND%20BENCHMARK%2810000000%2CSHA1%28%27a%27%29%29--%…
1 AND BENCHMARK(10000000,SHA1('a'))-- -
500 6ms http-500-likely-sql-error (time-payload)
⚠ VULN GET oob_test.php?id=1%20UNION%20SELECT%20SLEEP%285%29--%20-
1 UNION SELECT SLEEP(5)-- -
500 7ms http-500-likely-sql-error (time-payload)
⚠ VULN GET oob_test.php?id=1%27
1'
500 16ms http-500-likely-sql-error
⚠ VULN GET oob_test.php?id=1%20OR%201%3D1--%20-
1 OR 1=1-- -
500 16ms http-500-likely-sql-error
⚠ VULN GET oob_test.php?id=1%20UNION%20SELECT%201%2C2%2C3%2C4--%20-
1 UNION SELECT 1,2,3,4-- -
500 16ms http-500-likely-sql-error
⚠ VULN GET oob_test.php?id=0%20UNION%20SELECT%20username%2Cpassword%2C3%2C4%20FROM%…
0 UNION SELECT username,password,3,4 FROM users-- -
500 3ms http-500-likely-sql-error
📄 GGC-XXE-697 6.8 MEDIUM Probable XXE xml oob_test.php 0/2 hits
Flow
$_POST['xml'] is passed directly to simplexml_load_string() with default flags. The parsed result is never echoed — fully blind XXE. An external parameter entity referencing an OOB callback is the only viable detection method. The fetch occurs during DTD parsing, no body reference needed.
Attack Chain
Attacker POSTs a malicious XML document with an external parameter entity → simplexml_load_string() parses it → DTD processing triggers an outbound HTTP request to the OOB collaborator.
Impact
FILE_READ — Direct
CWE / CVSS
CWE-611 XML External Entity Reference  ·  CVSS 6.8 Medium (Base 7.5 High)
An XML parser resolves external entities, enabling local-file disclosure, SSRF, or denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RC:R
ⓘ Base 7,5 → Effective 6,8 — probable (E:P/RC:R).
Compliance Impact
A05:2021 – Security Misconfiguration
PCI-DSS v4.0 Req 2.2.1 / 6.2.4  ·  ISO/IEC 27001:2022 A.8.9 / A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Probable  ·  🔓 Unauthenticated
Remediation
Disable external entity and DTD processing in the XML parser.
  • Disable entity loading/DTDs (e.g. libxml_disable_entity_loader, LIBXML_NONET, no LIBXML_NOENT/DTDLOAD).
  • Prefer a hardened parser configuration or a non-XML format (JSON) where possible.
Refs: CWE-611 · OWASP: XXE Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🌐 GGC-SSRF-11B 7.7 HIGH P1 Confirmed SSRF url oob_test.php 1/2 hits
Flow
$_GET['url'] is passed directly to file_get_contents() with no validation. The fetched data is stored in $data but never echoed — fully blind SSRF. OOB callback is the only detection method.
Attack Chain
Attacker supplies a URL in the 'url' parameter → file_get_contents() fetches it server-side → the server makes an outbound request to the attacker-controlled OOB collaborator.
Impact
INFORMATION_DISCLOSURE — Direct
CWE / CVSS
CWE-918 Server-Side Request Forgery  ·  CVSS 7.7 High (Base 8.6 High)
The server fetches a user-supplied URL, letting an attacker reach internal services or cloud metadata.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:H/RC:C
ⓘ Base 8,6 → Effective 7,7 — auth-gated (PR:L).
Compliance Impact
A10:2021 – Server-Side Request Forgery (SSRF)
PCI-DSS v4.0 Req 6.2.4  ·  ISO/IEC 27001:2022 A.8.28  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1090 Proxy · T1552.005 Unsecured Credentials: Cloud Instance Metadata API
Command and Control, Credential Access
Certainty / Access
Confirmed  ·  👤 Customer
Evidence strength
83%Medium evidenceEvidence score 83/100
  • +50 Confirmed (strong signal)
  • +28 Out-of-band callback received
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i 'http://172.26.203.184/oob_test.php?url=http%3A%2F%2F172.26.192.1%3A8888%2F519205e607c1'
Evidence (live response):
OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/519205e607c1, proving blind (out-of-band) injection. The in-band HTTP response body is not the proof for this finding.
Remediation
Allowlist outbound destinations and block internal address ranges; don't fetch user URLs directly.
  • Allowlist permitted hosts/schemes; deny by default.
  • Resolve and block private/link-local/loopback/metadata ranges (169.254.169.254, 127.0.0.0/8, 10/172.16/192.168).
  • Disable unneeded URL schemes (file://, gopher://, dict://) and follow-redirect to internal hosts.
Refs: CWE-918 · OWASP: SSRF Prevention Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🤖 GGC-POI-918 9.8 CRITICAL P0 Confirmed PHP_OBJECT_INJECTION prefs poi_oob_test.php 1/2 hits
Flow
$_COOKIE['prefs'] is passed directly to unserialize(). The Fetcher gadget class is in scope: its __destruct() calls file_get_contents($this->url) on an attacker-controlled URL property. The return value of file_get_contents is discarded (@-suppressed, not echoed), so there is zero in-band signal. Detection requires an OOB collaborator callback. The serialized Fetcher payload sets $url to the OOB callback URL; when the unserialized object is garbage-collected, __destruct fires the outbound request.
Attack Chain
Attacker sets Cookie: prefs=<serialized Fetcher with url={OOB_HTTP}> → unserialize() instantiates Fetcher → script ends → GC triggers __destruct() → file_get_contents({OOB_HTTP}) fires outbound request to attacker-controlled server.
Impact
RCE — Direct
CWE / CVSS
CWE-502 Deserialization of Untrusted Data  ·  CVSS 9.8 Critical
Untrusted serialized data is deserialized, invoking gadget chains that can lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C
Compliance Impact
A08:2021 – Software and Data Integrity Failures
PCI-DSS v4.0 Req 6.2.4 / 6.4.3  ·  ISO/IEC 27001:2022 A.8.28 / A.8.29  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application · T1059 Command and Scripting Interpreter
Initial Access, Execution
Certainty / Access
Confirmed  ·  🔓 Unauthenticated
Evidence strength
83%Medium evidenceEvidence score 83/100
  • +50 Confirmed (strong signal)
  • +28 Out-of-band callback received
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i -X POST 'http://172.26.203.184/poi_oob_test.php' --data 'O:7:"Fetcher":1:{s:3:"url";s:37:"http://172.26.192.1:8888/6d57d558a5b4";}'
Evidence (live response):
OOB HTTP callback received by the GGSec collaborator — the target issued an outbound request to http://172.26.192.1:8888/6d57d558a5b4, proving blind (out-of-band) injection. The in-band HTTP response body is not the proof for this finding.
Remediation
Do not unserialize untrusted data; use a safe format and restrict allowed classes.
  • Replace unserialize() on tainted input with json_decode() (data-only).
  • If PHP serialization is required, pass allowed_classes=false or an explicit allowlist.
  • Add integrity protection (HMAC) to any serialized blob that must round-trip via the client.
Refs: CWE-502 · OWASP: Deserialization Cheat Sheet
ResultMethodURLPayloadStatusTimeDetectionDB
🔍 GGC-PATH-829 6.3 MEDIUM Potential PATH_TRAVERSAL url oob_test.php:21 0/0 hits
Flow
[Regex safety-net — the AI SAST did NOT flag this sink; added as a backstop against false-negatives. Low confidence, verify manually.] Regex-SAST (no LLM): tainted ${_REQUEST}['url'] reaches a PATH_TRAVERSAL sink at oob_test.php:21 without an escape/parameterisation guard on the line. Heuristic — verify.
Impact
FILE_READ — Low
CWE / CVSS
CWE-22 Path Traversal / Arbitrary File Read  ·  CVSS 6.3 Medium (Base 7.5 High)
User-controlled path components escape the intended directory, exposing arbitrary files (/etc/passwd, config, source).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RC:U
ⓘ Base 7,5 → Effective 6,3 — potential (E:U/RC:U).
Compliance Impact
A01:2021 – Broken Access Control
PCI-DSS v4.0 Req 6.2.4 / 7.2.1  ·  ISO/IEC 27001:2022 A.8.3 / A.5.15  ·  GDPR Art. 5(1)(f) + Art. 32 (confidentiality)
MITRE ATT&CK
T1083 File and Directory Discovery · T1005 Data from Local System
Discovery, Collection
Certainty / Access
Potential  ·  🔓 Unauthenticated
Remediation
Never build filesystem paths from user input — map requests to a fixed allowlist and canonicalize before use.
  • Map the user-supplied identifier to a server-side allowlist of permitted files; never use it as a path directly.
  • Canonicalize the resolved path (realpath) and verify it is still inside the intended base directory before reading.
  • Reject traversal sequences AFTER decoding (../, ..\, encoded %2e%2e, and stripped variants like ....//).
  • Run with least privilege so sensitive files (/etc/passwd, app secrets) are unreadable by the web user.
Refs: CWE-22 · CWE-73 · OWASP: Path Traversal · OWASP: File Path Traversal Prevention Cheat Sheet
No DAST requests recorded for this target.
🔍 GGC-VULN-D0C 8.9 HIGH P1 Likely OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38475 HTTP Server / X-Powered-By banner 1/1 hits
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38475 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
Impact
RCE — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 8.9 High (Base 9.8 Critical)
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RC:R
ⓘ Base 9,8 → Effective 8,9 — probable (E:P/RC:R).
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Likely  ·  🔓 Unauthenticated
Evidence strength
75%Medium evidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i ''
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38475 (CWE-22, Critical): mod_rewrite improper output escaping → URL mapped to filesystem (RCE / source disclosure). Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro pa…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET
outdated-component
200 0ms outdated-component
🔍 GGC-VULN-637 6.8 MEDIUM P2 Likely OUTDATED_COMPONENT apache 2.4.58 · CVE-2024-38476 HTTP Server / X-Powered-By banner 1/1 hits
Flow
The server banner indicates apache 2.4.58, which the version range for CVE-2024-38476 (fixed in 2.4.60) would cover — version-indicated only, not confirmed exploitable (banner may be backport-patched; vulnerable config/module not verified).
Impact
DOS — Direct
CWE / CVSS
CWE-1104 Use of Unmaintained/Vulnerable Third-Party Component  ·  CVSS 6.8 Medium (Base 7.5 High)
An unmaintained / known-vulnerable third-party component is in use; a published CVE may apply.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RC:R
ⓘ Base 7,5 → Effective 6,8 — probable (E:P/RC:R).
Compliance Impact
A06:2021 – Vulnerable and Outdated Components
PCI-DSS v4.0 Req 6.3.1 / 6.3.3 (patch mgmt)  ·  ISO/IEC 27001:2022 A.8.8  ·  GDPR Art. 32 (security of processing)
MITRE ATT&CK
T1190 Exploit Public-Facing Application
Initial Access
Certainty / Access
Likely  ·  🔓 Unauthenticated
Evidence strength
75%Medium evidenceEvidence score 75/100
  • +50 Confirmed (strong signal)
  • +20 Direct detection (outdated-component)
  • +5 Stable 2xx response
Proof of Concept
Reproduce:
curl -i ''
Evidence (live response):
Server banner 'Apache/2.4.58' matches CVE-2024-38476 (CWE-476, High): mod_proxy null-pointer dereference → DoS via malicious backend response headers. Affected: version < 2.4.60. VERSION-INDICATED / UNVERIFIED — this is a banner-only match: (1) a backported distro patch may leave…
Remediation
Upgrade the flagged component to a fixed release; version-indicated — verify against your actual (possibly backported) build.
  • Upgrade to the fixed version listed for the CVE (or a distro build with the backported patch).
  • Confirm the real installed version — a backported security fix can leave the banner version unchanged (avoid false positives).
  • Suppress the version banner (ServerTokens Prod / expose_php=Off / remove X-Powered-By) to reduce fingerprinting.
  • Track dependencies with SCA (composer audit / npm audit / Dependabot) and patch on a schedule.
Refs: CWE-1104 · OWASP A06:2021 Vulnerable & Outdated Components · NVD
ResultMethodURLPayloadStatusTimeDetectionDB
⚠ VULN GET
outdated-component
200 0ms outdated-component

Security Headers

HeaderStatusRiskRecommendation
Content-Security-Policy ✗ MISSING HIGH Prevents XSS/injection. Use nonce or strict-dynamic.
X-Frame-Options ✗ MISSING MEDIUM Prevents clickjacking. Use DENY or SAMEORIGIN.
X-Content-Type-Options ✗ MISSING LOW Prevents MIME sniffing. Set to nosniff.
Strict-Transport-Security ✗ MISSING MEDIUM Enforces HTTPS. min-age=31536000; includeSubDomains.
Referrer-Policy ✗ MISSING LOW Limits referrer leakage. strict-origin-when-cross-origin.
Permissions-Policy ✗ MISSING LOW Restrict unused browser features (camera, mic, geo).