Amir Amir Dah.docx

Findings Insecure HTTP cookies Cookie Name Flags missing PHPSESSID Secure, HttpOnly Details Risk description: Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session. Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session. Recommendation: We recommend reconfiguring the web server in order to set the flag(s) Secure, HttpOnly to all sensitive cookies. More information about this issue: https://blog.dareboost.com/en/2016/12/secure-cookies-secure-httponly-flags/. Communication is not secure http://bawaslu-jabarprov.go.id/bawaslu Details Risk description: The communication between the web browser and the server is done using the HTTP protocol, which transmits data unencrypted over the network. Thus, an attacker who manages to intercept the communication at the network level, is able to read and modify the data transmitted (including passwords, secret tokens, credit card information and other sensitive data). Recommendation: We recommend you to reconfigure the web server to use HTTPS - which encrypts the communication between the web browser and the server. Server software and technology found Software / Version Category Apache Web Servers

PHP

Cufon Facebook

Modernizr 2.0.6 jQuery 1.6.2

Programming Languages Font Scripts Widgets JavaScript Frameworks JavaScript Frameworks

Details Missing HTTP security headers HTTP Security Header Header Role Status X-Frame-Options Protects against Clickjacking attacks Not set X-XSS-Protection Mitigates Cross-Site Scripting (XSS) attacks Not set X-Content-Type-Options Prevents possible phishing or XSS attacks Not set Details Risk description: Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here: https://www.owasp.org/index.php/Clickjacking The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability. The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing. Recommendation: We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking attacks. More information about this issue: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet We recommend setting the X-XSS-Protection header to "X-XSS-Protection: 1; mode=block". More information about this issue: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

SSL Certificate Cannot Be Trusted Synopsis The SSL certificate for this service cannot be trusted. Description The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below : - First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, selfsigned certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. - Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. - Third, the certificate chain may contain a signature that either didn't match the certificate's information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize. If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host. Solution Purchase or generate a proper certificate for this service.

DNS Server Recursive Query Cache Poisoning Weakness Medium Nessus Plugin ID 10539 Synopsis The remote name server allows recursive queries to be performed by the host running nessusd. Description It is possible to query the remote name server for third-party names. If this is your internal nameserver, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote nameserver, then it allows anyone to use it to resolve third party names (such as www.nessus.org). This allows attackers to perform cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. Solution Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf. If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command. Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }' If you are using another name server, consult its documentation.

DNS Server Cache Snooping Remote Information Disclosure Medium Nessus Plugin ID 12217 Synopsis The remote DNS server is vulnerable to cache snooping attacks. Description The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported. Solution Contact the vendor of the DNS software for a fix.

DNS Server Spoofed Request Amplification DDoS Medium Nessus Plugin ID 35450 Synopsis The remote DNS server could be used in a distributed denial of service attack. Description The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server. Solution Restrict access to your DNS server from public network or reconfigure it to reject such queries.

Browsable Web Directories Medium Nessus Plugin ID 40984 Synopsis Some directories on the remote web server are browsable. Description Multiple Nessus plugins identified directories on the web server that are browsable. Solution Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. Additionally, use access restrictions or disable directory indexing for any that do.

SSL Medium Strength Cipher Suites Supported Medium Nessus Plugin ID 42873 Synopsis The remote service supports the use of medium strength SSL ciphers. Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.

IMAP Service STARTTLS Plaintext Command Injection Medium Nessus Plugin ID 52609 Synopsis The remote mail service allows plaintext command injection while negotiating an encrypted communications channel. Description The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials. Solution Contact the vendor to see if an update is available.