Cadoles/Jenkins
Cadoles
/
Jenkins
19
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity
Jenkins/reports/report.html

606 lines
145 KiB
HTML
Raw Normal View History

fixup! Web security audit base pipeline
2019-04-15 20:50:20 +02:00
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Application Security Scan Report for quid-dev-sync.cadol.es</title>
<style>
/*!
* Bootstrap v3.3.2 (http://getbootstrap.com)
* Copyright 2011-2015 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
*//*! normalize.css v3.0.2 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,:after,:before{color:#000!important;text-shadow:none!important;background:0 0!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}blockquote,pre{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}img,tr{page-break-inside:avoid}img{max-width:100%!important}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table td,.table th{background-color:#fff!important}.table-bordered td,.table-bordered th{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff2) format('woff2'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-eur:before,.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphic
<style>
.table {
table-layout:fixed;
}
.table td {
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
</style>
</head>
<body>
<div class="container">
<div class="thumbnail">
<div class="row">
<div class="col-md-12">
<h1>
<p class="text-center">Application Security Scan for quid-dev-sync.cadol.es</p>
</h1>
</div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-4">
<h4>Meta-data</h4>
<p>This report contains the application security scan results
for the w3af scan of the quid-dev-sync.cadol.es which finished
15.04.2019</p>
</div>
<div class="col-md-3">
<h4>Configured target URLs</h4>
<ul>
<li> https://quid-dev-sync.cadol.es/login </li>
</ul>
</div>
<div class="col-md-3">
<h4>Enabled plugins</h4>
<ul>
<li> <h5>audit</h5>
<ul>
<li>file_upload</li>
<li>os_commanding</li>
<li>lfi</li>
<li>blind_sqli</li>
<li>sqli</li>
<li>dav</li>
<li>eval</li>
<li>rfi</li>
</ul>
</li>
<li> <h5>infrastructure</h5>
<ul>
<li>allowed_methods</li>
<li>server_header</li>
</ul>
</li>
<li> <h5>grep</h5>
<ul>
</ul>
</li>
<li> <h5>evasion</h5>
<ul>
</ul>
</li>
<li> <h5>crawl</h5>
<ul>
<li>web_spider</li>
</ul>
</li>
<li> <h5>auth</h5>
<ul>
<li>detailed</li>
</ul>
</li>
<li> <h5>bruteforce</h5>
<ul>
</ul>
</li>
<li> <h5>output</h5>
<ul>
<li>html_file</li>
<li>console</li>
</ul>
</li>
<li> <h5>mangle</h5>
<ul>
</ul>
</li>
</ul>
</div>
<div class="col-md-1"></div>
</div>
</div>
<div class="thumbnail">
<div class="row">
<div class="col-md-2"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEEAAABCCAYAAAAIY7vrAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI
WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wMNExQRwAhM2QAAABl0RVh0Q29tbWVudABDcmVhdGVk
IHdpdGggR0lNUFeBDhcAAASJSURBVHja7dtriFRlHMfxz6qkZlaUGE52QzMG3S509RZYQVlh9xCi
y5sGI6wwol50p4JM6oVQNC8iowv0okAqNoy01IzsYqSNiamEThmC1iatbbq9OI+wDbNn5uzMujNn
9gcDA89zznPO9zzP//lfzmnr6enR6hrR3wMz+UJcczvOx2SMxk58hbWNcuPFXLZ2CGU0GddgJi7F
SSXtnejA6/goFTOhl6bhDszHKTH9xuIWXIfn8DR6mh3CBCzA3eF/tToKT4aZshAHmxJCJl+Yh8fD
uu+v7sGfeKSpIGTyhVPDRS9AWx3Gfxi7sHQwIQxLAOAGfBCeYFsdr+F5XN2wMyGTL2QwI1j9O+t8
84c1GnnMxQ8NASGTL4zB1GDFbw1b30DrZLyFq1AcVAiZfOF23BcgjD7C19KOZQH83sG0CVNxwSAA
OKwr8AbGHclB23rHDpl84UJ8jlGDvGutDjZo+0DeO87GtaUz4fvBMk4lmh1c7JsG4Nyn4V6swEo8
01YaRWbyhTdxW4O49QfxPl7CenT34xxjcAYuD4Z3GiZW2iK/ayAIw3Fz8CO+DU9vRVgm+/EPDoWp
PQIjcUx42ueF7f2sAOH4PsZ4rdxMOBdrAsFG1AH8ij/QFSAcjkmOxnEYX6U3vBFzynXcFH4XNSiE
kTi9DufpwkPFXHbPsDLJhm5skX4tKeayHXGxwzcpB7ASz1YKoFYFw5NG/Yb7i7lsVyUImxrEX6i3
/sWi0nsrCyHFduFFvJMkn5A2u9AhyoYlSqp8Kkp/pUGF4CofSAqhkBK7sAc5bKs2lO5tFw7i5yYH
0BVmwJok+YRSrW9yCI/h3aRJlXJ2YV+TAngBS6rpWCnI2ByCjFl1uKj9YXntCOuzO8QAU5ANAVC9
9LIE9YxYCMVc9lAmX9hSI4StWI63g+/RWdI+VpTSW4h5IXyuRa/ggV7RpVqXQy12Ya+o3jgbDwa/
o7NMv87gy98oSrL+UgOApQFmouRLNRBWSZ79fQ+X4Yngqyc57kp8nHC8blF9c5F+1DargfBTAn/h
d1GJbj429PNpbhZlkxYHX7/a/k9V2T85hGIu2xPnaPTSZ6Ic3qv6lwvsrb9EdcrrRclffSyjxaLc
4fJaBqu2IPsl7oqZisvwKHbXeZv7MNikuaIK+MSwNDdgHb6uxyDVQvgkuJ/liiL7wnqsN4DeS2xZ
+A2Iqq1Kbws5hnI6IWxxTauqIAS7sLWP5uE4J/UQgr6IaZvaKhBWBrtQTrOUVHVSCaGYy27X93uI
GUxvhZkgZs8WgqCWgBCXfG1vFQhrY/yBmc1qFxJBKOayO2LswoQQNKV+JqgQTM1qFQhxr7dPahUI
a/X9mt000QsR6YZQzGV3hgiunMaLXvNP/UyoZBdmtAqETTFtU1oFwjrRJz192YVJqYdQzGV3xfgL
4zCnFWZCpa3yklaBsDEt/kItENbou1DSjjNbAcLuGH/hxGayC8NqPP7HmLaLWwVCXJJlusH7biKR
av04dLXoQ65j/f9DzzZRPWIU/m50CG1DH4zXvhyGIAxBGIKQLv0Hm1QJEyLUX0cAAAAASUVORK5C
YII=
" /></div>
<div class="col-md-8"><h2 class="text-center">Server header</h2></div>
<div class="col-md-2"><b><h3 class="text-info">INFO</h3></b></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<h4>Summary</h4>
<p>The server header for the remote web server is: &#34;nginx/1.10.3 (Ubuntu)&#34;. This information was found in the request with id 28.</p>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<ul>
</ul>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10"><h4>HTTP proof</h4></div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>GET https://quid-dev-sync.cadol.es/login HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>HTTP/1.1 200 OK
content-length: 585
content-encoding: gzip
set-cookie: quid_sync=MTU1NTM1MjM5NnxNbjJLSVRVcUtLd3FUMnN1OUQwazFkc3RyT3FPX1Izbks4MHp3ZG9oWmRscWJBOUpzallNSnl4ZDJfVlROZXQwWFpmSXBQbU9OcjZROC15VkVPVVRPNFlyM3ZRdlFrRDRBRjJjVVMyTFlDWlhHQ2k1Q3ZULTRKMlM0akUyR3BnNUNPRT18YKydkxi11UB8j6ONxtW3h3lddmW2WBIdDi22lslK7lc=; Path=/; Expires=Wed, 15 May 2019 18:19:56 GMT; Max-Age=2592000
server: nginx/1.10.3 (Ubuntu)
connection: keep-alive
date: Mon, 15 Apr 2019 18:19:56 GMT
x-frame-options: SAMEORIGIN, SAMEORIGIN
content-type: text/html; charset=utf-8
&lt;!DOCTYPE html&gt;
&lt;html lang=&#34;fr&#34;&gt;
&lt;head&gt;
&lt;meta charset=&#34;utf-8&#34;&gt;
&lt;meta name=&#34;viewport&#34; content=&#34;width=device-width, initial-scale=1&#34;&gt;
&lt;title&gt;Authentification - Quid&lt;/title&gt;
&lt;link rel=&#34;stylesheet&#34; href=&#34;/css/sync-app.css&#34;&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;section class=&#34;hero is-fullheight login&#34;&gt;
&lt;div class=&#34;hero-body&#34;&gt;
&lt;div class=&#34;container&#34;&gt;
&lt;div class=&#34;column is-4 is-offset-4&#34;&gt;
&lt;div class=&#34;flash has-margin-top-small&#34;&gt;&lt;/div&gt;
&lt;div class=&#34;has-text-centered has-margin-top-small&#34;&gt;
&lt;div class=&#34;box&#34;&gt;
&lt;figure class=&#34;avatar&#34;&gt;
&lt;img src=&#34;/img/logo-efs.svg&#34; width=&#34;128&#34; height=&#34;128&#34;&gt;
&lt;/figure&gt;
&lt;form method=&#34;POST&#34;&gt;
&lt;div class=&#34;field&#34;&gt;
&lt;div class=&#34;control&#34;&gt;
&lt;input class=&#34;input is-normal&#34;
name=&#34;email&#34; type=&#34;email&#34;
placeholder=&#34;Votre adresse courriel&#34; autofocus=&#34;&#34;&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class=&#34;field&#34;&gt;
&lt;div class=&#34;control&#34;&gt;
&lt;input class=&#34;input is-normal&#34;
name=&#34;password&#34; type=&#34;password&#34;
placeholder=&#34;Votre mot de passe&#34;&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;button class=&#34;button is-block is-info is-normal is-fullwidth&#34;&gt;S&#39;identifier&lt;/button&gt;
&lt;/form&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;/section&gt;
&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
<div class="col-md-2"></div>
</div>
</div>
<div class="thumbnail">
<div class="row">
<div class="col-md-2"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEEAAABCCAYAAAAIY7vrAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI
WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wMNExQRwAhM2QAAABl0RVh0Q29tbWVudABDcmVhdGVk
IHdpdGggR0lNUFeBDhcAAASJSURBVHja7dtriFRlHMfxz6qkZlaUGE52QzMG3S509RZYQVlh9xCi
y5sGI6wwol50p4JM6oVQNC8iowv0okAqNoy01IzsYqSNiamEThmC1iatbbq9OI+wDbNn5uzMujNn
9gcDA89zznPO9zzP//lfzmnr6enR6hrR3wMz+UJcczvOx2SMxk58hbWNcuPFXLZ2CGU0GddgJi7F
SSXtnejA6/goFTOhl6bhDszHKTH9xuIWXIfn8DR6mh3CBCzA3eF/tToKT4aZshAHmxJCJl+Yh8fD
uu+v7sGfeKSpIGTyhVPDRS9AWx3Gfxi7sHQwIQxLAOAGfBCeYFsdr+F5XN2wMyGTL2QwI1j9O+t8
84c1GnnMxQ8NASGTL4zB1GDFbw1b30DrZLyFq1AcVAiZfOF23BcgjD7C19KOZQH83sG0CVNxwSAA
OKwr8AbGHclB23rHDpl84UJ8jlGDvGutDjZo+0DeO87GtaUz4fvBMk4lmh1c7JsG4Nyn4V6swEo8
01YaRWbyhTdxW4O49QfxPl7CenT34xxjcAYuD4Z3GiZW2iK/ayAIw3Fz8CO+DU9vRVgm+/EPDoWp
PQIjcUx42ueF7f2sAOH4PsZ4rdxMOBdrAsFG1AH8ij/QFSAcjkmOxnEYX6U3vBFzynXcFH4XNSiE
kTi9DufpwkPFXHbPsDLJhm5skX4tKeayHXGxwzcpB7ASz1YKoFYFw5NG/Yb7i7lsVyUImxrEX6i3
/sWi0nsrCyHFduFFvJMkn5A2u9AhyoYlSqp8Kkp/pUGF4CofSAqhkBK7sAc5bKs2lO5tFw7i5yYH
0BVmwJok+YRSrW9yCI/h3aRJlXJ2YV+TAngBS6rpWCnI2ByCjFl1uKj9YXntCOuzO8QAU5ANAVC9
9LIE9YxYCMVc9lAmX9hSI4StWI63g+/RWdI+VpTSW4h5IXyuRa/ggV7RpVqXQy12Ya+o3jgbDwa/
o7NMv87gy98oSrL+UgOApQFmouRLNRBWSZ79fQ+X4Yngqyc57kp8nHC8blF9c5F+1DargfBTAn/h
d1GJbj429PNpbhZlkxYHX7/a/k9V2T85hGIu2xPnaPTSZ6Ic3qv6lwvsrb9EdcrrRclffSyjxaLc
4fJaBqu2IPsl7oqZisvwKHbXeZv7MNikuaIK+MSwNDdgHb6uxyDVQvgkuJ/liiL7wnqsN4DeS2xZ
+A2Iqq1Kbws5hnI6IWxxTauqIAS7sLWP5uE4J/UQgr6IaZvaKhBWBrtQTrOUVHVSCaGYy27X93uI
GUxvhZkgZs8WgqCWgBCXfG1vFQhrY/yBmc1qFxJBKOayO2LswoQQNKV+JqgQTM1qFQhxr7dPahUI
a/X9mt000QsR6YZQzGV3hgiunMaLXvNP/UyoZBdmtAqETTFtU1oFwjrRJz192YVJqYdQzGV3xfgL
4zCnFWZCpa3yklaBsDEt/kItENbou1DSjjNbAcLuGH/hxGayC8NqPP7HmLaLWwVCXJJlusH7biKR
av04dLXoQ65j/f9DzzZRPWIU/m50CG1DH4zXvhyGIAxBGIKQLv0Hm1QJEyLUX0cAAAAASUVORK5C
YII=
" /></div>
<div class="col-md-8"><h2 class="text-center">Allowed HTTP methods</h2></div>
<div class="col-md-2"><b><h3 class="text-info">INFO</h3></b></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<h4>Summary</h4>
<p>The URL &#34;https://quid-dev-sync.cadol.es/&#34; has the following enabled HTTP methods: *, GET. This information was found in the requests with ids 27, 174 and 179.</p>
<br />
<h4>Description</h4>
<p>There are a number of HTTP methods that can be used on a webserver
(<code>OPTIONS</code>, <code>HEAD</code>, <code>GET</code>, <code>POST</code>, <code>PUT</code>, <code>DELETE</code> etc.). Each of
these methods perform a different function and each have an associated
level of risk when their use is permitted on the webserver.</p>
<p>A client
can use the <code>OPTIONS</code> method within a request to query a server to
determine which methods are allowed.</p>
<p>Cyber-criminals will almost
always perform this simple test as it will give a very quick
indication of any high-risk methods being permitted by the server.
The tool discovered that several methods are supported by the server.</p>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<ul>
<li>Vulnerable URL: <a href="https://quid-dev-sync.cadol.es/">https://quid-dev-sync.cadol.es/</a></li>
</ul>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<h4>Fix</h4>
<p>It is recommended that a whitelisting approach be taken to explicitly
permit the HTTP methods required by the application and block all
others.</p>
<p>Typically the only HTTP methods required for most
applications are <code>GET</code> and <code>POST</code>. All other methods perform actions
that are rarely required or perform actions that are inherently risky.
These risky methods (such as <code>PUT</code>, <code>DELETE</code>, etc) should be protected
by strict limitations, such as ensuring that the channel is secure
(SSL/TLS enabled) and only authorised and trusted clients are
permitted to use them.</p>
<h4>References</h4>
<ul>
<li> <a href="http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept">Apache.org</a></li>
</ul>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10"><h4>HTTP proof</h4></div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>OPTIONS https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjM5Nnwxa2ZEUDdUdmd4YnNSMFJsRkJ6d0FjTTlLdFVaTm5SeU5IQzFvUVNuWnh1RWs2bllEc25QTzE5dWNDQWVfN3pvVFgwSWl1NHV1a2NUN0lkcnZ0T2FERVcxZE9EYmtseHJ3Q2VEaUJyX3pScmdfb1hZdE4ybWF2cTBYVklva2w5QlZQdz18TXiAblvgNn75j8ki3zz4no_1jtW6rjREpPmO9H5-uzE=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>HTTP/1.1 405 Method Not Allowed
date: Mon, 15 Apr 2019 18:19:56 GMT
content-length: 0
connection: keep-alive
server: nginx/1.10.3 (Ubuntu)</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>GET https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjQwMnx0OW0zb2t1a3F0M1hOSFI0S3V2TFhhRG9wZ1RxMWZaUzlmdTZzSGMyTzV1aXVEZ0Jwakt1Z3FBSVdmSnh6Mkt6XzRfTmdzLTlPTzRlZ056eW9ncTlCRElDTndBaGpmV3kyQW9LQlFzVnN1XzMyWDdMei1BVkJQcFo0cUJpTDV1eWowRT18EoBy_faVfRRNOYwAG3u6kGEw2hAnDTWn_6SsTFVd_-E=
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>HTTP/1.1 303 See Other
content-length: 68
content-encoding: gzip
server: nginx/1.10.3 (Ubuntu)
connection: keep-alive
location: /surveys/overview
date: Mon, 15 Apr 2019 18:20:02 GMT
x-frame-options: SAMEORIGIN, SAMEORIGIN
content-type: text/html; charset=utf-8
&lt;a href=&#34;/surveys/overview&#34;&gt;See Other&lt;/a&gt;.</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>* https://quid-dev-sync.cadol.es/ HTTP/1.1
Accept-encoding: gzip, deflate
Accept: */*
User-agent: w3af.org
Host: quid-dev-sync.cadol.es
Cookie: quid_sync=MTU1NTM1MjQwMXwyWjloNmtlcVA2WHFTU1VpNVhEY0xOOGJMYnA5U2dpakFrVzlYNnI2ekY0WmVPVEx1ZlJLdGlMVlhrb21sUHpJUFMxa1p6RkpXbFVIWkVGQWdZc1VMS3Z0MDVYMFZDb3M2Y3pzZ3pXbkRnODlMTXZ1dzFLRTM5MWhxdE84NElvUzloeFAwR080dWwxa0lieExZWjJSaHREQWpwNEdzek1mVkJQOEFQLXZiUjZkS3dFVS1rUTNQVHJXVVJ0MUxkX1hVT0p4MGFMNzBWTDBFSDlnd01YSlpoN0dhSzNHUTRXaDBjal9fOUdESTdBWjNSQVRYbmpBdEs0LV9OZlBBaEFQQl9fT2tVWC0yVW55SW12R1hvSWI5NENqNzh3Wm92UnhORUJCMEZZYjBjSldIU0tjY1pHdUh6c3daUTIxX0xJcFNFWjBtTTI3NWNzNjRmVERLSWUzQXQ5ay13SS1VWWhPXzVEUWZ2dEhJbjZJZkRNanRpQjhTeGpQNDJiSUstdy1DU1UxQ25wc2xxZGFLVUY4dElOQU9vWmRQdXUwZlkxUlp2cTBmYUhHWkE3am9oYjVJbGZ4U0k5M3BpY0hoOHlZOWVOd1F4eTVQNDRQX3lSbC1ETkZDdktidDdiVjA1ak9xTG9BZVhTSEZIQkEySVhUTFJhRy1zMHMtR09JZndXdUFfMmJiUjJ2RnlVcm1ZWlMtcUFmN1ZJPXw4gdJc3OeP2rbnQuqmjJmH_UqN_hmOjAyXwl4vWXmTUw==
Authorization: Basic ZWZzOnF1aWRkZXYyMDE5</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>HTTP/1.1 400 Bad Request
date: Mon, 15 Apr 2019 18:20:02 GMT
content-length: 182
content-type: text/html
connection: close
server: nginx/1.10.3 (Ubuntu)
&lt;html&gt;
&lt;head&gt;&lt;title&gt;400 Bad Request&lt;/title&gt;&lt;/head&gt;
&lt;body bgcolor=&#34;white&#34;&gt;
&lt;center&gt;&lt;h1&gt;400 Bad Request&lt;/h1&gt;&lt;/center&gt;
&lt;hr&gt;&lt;center&gt;nginx/1.10.3 (Ubuntu)&lt;/center&gt;
&lt;/body&gt;
&lt;/html&gt;</pre>
</div>
<div class="col-md-2"></div>
</div>
</div>
<div class="thumbnail">
<div class="row">
<div class="col-md-2"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEEAAABCCAYAAAAIY7vrAAAABmJLR0QA/wD/AP+gvaeTAAAACXBI
WXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3wMNExQRwAhM2QAAABl0RVh0Q29tbWVudABDcmVhdGVk
IHdpdGggR0lNUFeBDhcAAASJSURBVHja7dtriFRlHMfxz6qkZlaUGE52QzMG3S509RZYQVlh9xCi
y5sGI6wwol50p4JM6oVQNC8iowv0okAqNoy01IzsYqSNiamEThmC1iatbbq9OI+wDbNn5uzMujNn
9gcDA89zznPO9zzP//lfzmnr6enR6hrR3wMz+UJcczvOx2SMxk58hbWNcuPFXLZ2CGU0GddgJi7F
SSXtnejA6/goFTOhl6bhDszHKTH9xuIWXIfn8DR6mh3CBCzA3eF/tToKT4aZshAHmxJCJl+Yh8fD
uu+v7sGfeKSpIGTyhVPDRS9AWx3Gfxi7sHQwIQxLAOAGfBCeYFsdr+F5XN2wMyGTL2QwI1j9O+t8
84c1GnnMxQ8NASGTL4zB1GDFbw1b30DrZLyFq1AcVAiZfOF23BcgjD7C19KOZQH83sG0CVNxwSAA
OKwr8AbGHclB23rHDpl84UJ8jlGDvGutDjZo+0DeO87GtaUz4fvBMk4lmh1c7JsG4Nyn4V6swEo8
01YaRWbyhTdxW4O49QfxPl7CenT34xxjcAYuD4Z3GiZW2iK/ayAIw3Fz8CO+DU9vRVgm+/EPDoWp
PQIjcUx42ueF7f2sAOH4PsZ4rdxMOBdrAsFG1AH8ij/QFSAcjkmOxnEYX6U3vBFzynXcFH4XNSiE
kTi9DufpwkPFXHbPsDLJhm5skX4tKeayHXGxwzcpB7ASz1YKoFYFw5NG/Yb7i7lsVyUImxrEX6i3
/sWi0nsrCyHFduFFvJMkn5A2u9AhyoYlSqp8Kkp/pUGF4CofSAqhkBK7sAc5bKs2lO5tFw7i5yYH
0BVmwJok+YRSrW9yCI/h3aRJlXJ2YV+TAngBS6rpWCnI2ByCjFl1uKj9YXntCOuzO8QAU5ANAVC9
9LIE9YxYCMVc9lAmX9hSI4StWI63g+/RWdI+VpTSW4h5IXyuRa/ggV7RpVqXQy12Ya+o3jgbDwa/
o7NMv87gy98oSrL+UgOApQFmouRLNRBWSZ79fQ+X4Yngqyc57kp8nHC8blF9c5F+1DargfBTAn/h
d1GJbj429PNpbhZlkxYHX7/a/k9V2T85hGIu2xPnaPTSZ6Ic3qv6lwvsrb9EdcrrRclffSyjxaLc
4fJaBqu2IPsl7oqZisvwKHbXeZv7MNikuaIK+MSwNDdgHb6uxyDVQvgkuJ/liiL7wnqsN4DeS2xZ
+A2Iqq1Kbws5hnI6IWxxTauqIAS7sLWP5uE4J/UQgr6IaZvaKhBWBrtQTrOUVHVSCaGYy27X93uI
GUxvhZkgZs8WgqCWgBCXfG1vFQhrY/yBmc1qFxJBKOayO2LswoQQNKV+JqgQTM1qFQhxr7dPahUI
a/X9mt000QsR6YZQzGV3hgiunMaLXvNP/UyoZBdmtAqETTFtU1oFwjrRJz192YVJqYdQzGV3xfgL
4zCnFWZCpa3yklaBsDEt/kItENbou1DSjjNbAcLuGH/hxGayC8NqPP7HmLaLWwVCXJJlusH7biKR
av04dLXoQ65j/f9DzzZRPWIU/m50CG1DH4zXvhyGIAxBGIKQLv0Hm1QJEyLUX0cAAAAASUVORK5C
YII=
" /></div>
<div class="col-md-8"><h2 class="text-center">Omitted server header</h2></div>
<div class="col-md-2"><b><h3 class="text-info">INFO</h3></b></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<h4>Summary</h4>
<p>The remote HTTP Server omitted the &#34;server&#34; header in its response. This information was found in the request with id 912.</p>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<ul>
</ul>
</div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10"><h4>HTTP proof</h4></div>
<div class="col-md-1"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>None</pre>
</div>
<div class="col-md-2"></div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<pre>None</pre>
</div>
<div class="col-md-2"></div>
</div>
</div>
<div class="thumbnail">
<div class="row">
<div class="col-md-12">
<h3>
<p class="text-center">URLs found during application scan</p>
</h3>
</div>
</div>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-8">
<ul>
<li><a href="https://quid-dev-sync.cadol.es/login">https://quid-dev-sync.cadol.es/login</a></li>
<li><a href="https://quid-dev-sync.cadol.es/">https://quid-dev-sync.cadol.es/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/css/sync-app.css">https://quid-dev-sync.cadol.es/css/sync-app.css</a></li>
<li><a href="https://quid-dev-sync.cadol.es/img/logo-efs.svg">https://quid-dev-sync.cadol.es/img/logo-efs.svg</a></li>
<li><a href="https://quid-dev-sync.cadol.es/css/">https://quid-dev-sync.cadol.es/css/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/overview">https://quid-dev-sync.cadol.es/surveys/overview</a></li>
<li><a href="https://quid-dev-sync.cadol.es/css">https://quid-dev-sync.cadol.es/css</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites">https://quid-dev-sync.cadol.es/satellites</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users">https://quid-dev-sync.cadol.es/users</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys">https://quid-dev-sync.cadol.es/surveys</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/new">https://quid-dev-sync.cadol.es/surveys/new</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/import">https://quid-dev-sync.cadol.es/surveys/import</a></li>
<li><a href="https://quid-dev-sync.cadol.es/sync-app.js">https://quid-dev-sync.cadol.es/sync-app.js</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users/overview">https://quid-dev-sync.cadol.es/users/overview</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/overview">https://quid-dev-sync.cadol.es/satellites/overview</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users/new">https://quid-dev-sync.cadol.es/users/new</a></li>
<li><a href="https://quid-dev-sync.cadol.es/logout">https://quid-dev-sync.cadol.es/logout</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/0">https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/0</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/details">https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/details</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/details">https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/details</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users/e07727b6-b886-48e8-ac7f-ff5428eeab52/edit">https://quid-dev-sync.cadol.es/users/e07727b6-b886-48e8-ac7f-ff5428eeab52/edit</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users/e7ebae45-6156-49fa-8fcd-0efc82015791/edit">https://quid-dev-sync.cadol.es/users/e7ebae45-6156-49fa-8fcd-0efc82015791/edit</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/export/">https://quid-dev-sync.cadol.es/surveys/export/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/users/">https://quid-dev-sync.cadol.es/users/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/">https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/reject">https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/reject</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/forget">https://quid-dev-sync.cadol.es/satellites/418eef20-6e70-4e4d-ae44-2a1e200e483c/forget</a></li>
<li><a href="https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/export/">https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/export/</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/reject">https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/reject</a></li>
<li><a href="https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/forget">https://quid-dev-sync.cadol.es/satellites/0ecf9645-99de-4861-b48b-38b62d916eb4/forget</a></li>
</ul>
</div>
<div class="col-md-2"></div>
</div>
</div>
<div class="thumbnail">
<div class="row">
<div class="col-md-12">
<h3>
<p class="text-center">Scan log</p>
</h3>
</div>
</div>
<div class="row">
<div class="col-md-1"></div>
<div class="col-md-10">
<table class="table table-striped">
<thead>
<tr>
<th width="20%">Timestamp</th>
<th width="10%">Log level</th>
<th width="70%">Message</th>
</tr>
</thead>
<tbody>
<tr class="danger">
<td>Mon Apr 15 18:19:55 2019</td>
<td>error</td>
<td>Can&#39;t login into web application as admin@quid.local</td>
</tr>
<tr class="danger">
<td>Mon Apr 15 18:19:57 2019</td>
<td>error</td>
<td>audit.rfi plugin needs to be correctly configured to use. Please set valid values for local address (eg. 10.5.2.5) and port (eg. 44449), or use the official w3af site as the target server for remote inclusions. The configuration error is: &#34;Listen address and port need to be configured&#34;</td>
</tr>
<tr class="danger">
<td>Mon Apr 15 18:20:39 2019</td>
<td>error</td>
<td>The server_header plugin got an error while requesting &#34;https://quid-dev-sync.cadol.es/surveys/f70c64f0-d5e2-4794-b967-db668f196322/edit/0&#34;. Exception: &#34;HTTP timeout error&#34;. Generated 204 &#34;No Content&#34; response (id:912)</td>
</tr>
</tbody>
</table>
</div>
<div class="col-md-1"></div>
</div>
</div>
</div>
</body>
</html>