| Medium (Medium) | Multiple X-Frame-Options Header Entries |
|
Description
| X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents. |
|
URL
|
https://campus.cegepadistance.ca
|
Parameter
|
X-Frame-Options
|
URL
|
https://campus.cegepadistance.ca/login/index.php
|
Parameter
|
X-Frame-Options
|
URL
|
https://campus.cegepadistance.ca/login/forgot_password.php
|
Parameter
|
X-Frame-Options
|
URL
|
https://campus.cegepadistance.ca/help.php?component=moodle&identifier=cookiesenabled&lang=fr
|
Parameter
|
X-Frame-Options
|
|
Instances
|
4
|
|
Solution
| Ensure only a single X-Frame-Options header is present in the response. |
|
Reference
| https://tools.ietf.org/html/rfc7034 |
|
CWE Id
|
16
|
|
WASC Id
|
15
|
| Low (Medium) | En-têtes HTTP Pragma et Cache-control incomplets ou absents |
|
Description
| Les en-têtes HTTP cache-control et pragma n’ont pas été définis correctement ou manquent, permettant au navigateur et aux proxys de mettre en cache le contenu. |
|
URL
|
https://campus.cegepadistance.ca
|
Parameter
|
Cache-Control
|
Evidence
|
private, pre-check=0, post-check=0, max-age=0, no-transform
|
URL
|
https://campus.cegepadistance.ca/login/index.php
|
Parameter
|
Cache-Control
|
Evidence
|
private, pre-check=0, post-check=0, max-age=0, no-transform
|
URL
|
https://campus.cegepadistance.ca/login/forgot_password.php
|
Parameter
|
Cache-Control
|
Evidence
|
private, pre-check=0, post-check=0, max-age=0, no-transform
|
URL
|
https://campus.cegepadistance.ca/help.php?component=moodle&identifier=cookiesenabled&lang=fr
|
Parameter
|
Cache-Control
|
Evidence
|
private, pre-check=0, post-check=0, max-age=0, no-transform
|
URL
|
https://campus.cegepadistance.ca/theme/yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.css
|
Parameter
|
Cache-Control
|
Evidence
|
public, max-age=31104000
|
URL
|
https://campus.cegepadistance.ca/theme/yui_combo.php?rollup/3.17.2/yui-moodlesimple-min.css
|
Parameter
|
Pragma
|
URL
|
https://campus.cegepadistance.ca/theme/image.php/cegep/core/1476196508/help
|
Parameter
|
Cache-Control
|
Evidence
|
public, max-age=5184000, no-transform
|
URL
|
https://campus.cegepadistance.ca/theme/image.php/cegep/core/1476196508/help
|
Parameter
|
Pragma
|
|
Instances
|
8
|
|
Solution
| Chaque fois que possible, assurez-vous que l'en-tête HTTP cache-control est renseignée à no-cache, no-store, must-revalidate, private; et que l’en-tête pragma HTTP est renseignée à no-cache. |
|
Reference
| https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching |
|
CWE Id
|
525
|
|
WASC Id
|
13
|
| Low (Medium) | Cookie No HttpOnly Flag |
|
Description
| A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible. |
|
URL
|
https://campus.cegepadistance.ca
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/login/index.php
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/local/page/aide-a-la-navigation/
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/course/view.php?id=1
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/login/forgot_password.php
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
URL
|
https://campus.cegepadistance.ca/my/
|
Parameter
|
MoodleSessionCampus
|
Evidence
|
Set-Cookie: MoodleSessionCampus
|
|
Instances
|
7
|
|
Solution
| Ensure that the HttpOnly flag is set for all cookies. |
|
Reference
| http://www.owasp.org/index.php/HttpOnly |
|
CWE Id
|
16
|
|
WASC Id
|
13
|
| Low (Medium) | Protection XSS du navigateur Internet non activée |
|
Description
| La protection XSS du navigateur Internet n'est pas activée, ou est désactivée par la configuration de l'en-tête de réponse HTTP 'X-XSS-Protection' sur le serveur web |
|
URL
|
https://campus.cegepadistance.ca
|
Parameter
|
X-XSS-Protection
|
URL
|
https://campus.cegepadistance.ca/robots.txt
|
Parameter
|
X-XSS-Protection
|
URL
|
https://campus.cegepadistance.ca/sitemap.xml
|
Parameter
|
X-XSS-Protection
|
URL
|
https://campus.cegepadistance.ca/login/index.php
|
Parameter
|
X-XSS-Protection
|
URL
|
https://campus.cegepadistance.ca/login/forgot_password.php
|
Parameter
|
X-XSS-Protection
|
URL
|
https://campus.cegepadistance.ca/help.php?component=moodle&identifier=cookiesenabled&lang=fr
|
Parameter
|
X-XSS-Protection
|
|
Instances
|
6
|
|
Solution
| Assurez-vous que le filtre XSS du navigateur internet est activé, en renseignant l'en-tête de réponse HTTP X-XSS-Protection à '1'. |
|
Other information
|
L'en-tête de réponse HTTP X-XSS-Protection autorise le serveur internet à activer ou désactiver le mécanisme de protection XSS du navigateur internet. Les valeurs suivantes tenteraient d'activer la protection: X-XSS-Protection: 1; mode = block X-XSS-Protection: 1; report = http://www.example.com/xss Les valeurs suivantes désactiveraient cette protection: X-XSS-Protection: 0 L'en-tête de réponse HTTP X-XSS-Protection est actuellement supportée par Internet Explorer, Chrome et Safari (WebKit). Notez que cette alerte n'est déclenchée que si le corps de réponse pouvaient contenir une charge utile XSS (avec un type de contenu texte, d'une longueur différente de zéro).
|
|
|
Reference
| https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/ |
|
CWE Id
|
933
|
|
WASC Id
|
14
|
| Low (Medium) | Saisie semi-automatique du mot de passe dans le navigateur |
|
Description
| The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved. |
|
URL
|
https://campus.cegepadistance.ca
|
Parameter
|
password
|
Evidence
|
<input type="password" name="password" id="password" size="15" value="" />
|
URL
|
https://campus.cegepadistance.ca/login/index.php
|
Parameter
|
password
|
Evidence
|
<input type="password" name="password" id="password" size="15" value="" />
|
|
Instances
|
2
|
|
Solution
| Turn off the AUTOCOMPLETE attribute in forms or individual input elements containing password inputs by using AUTOCOMPLETE='OFF'. |
|
Reference
| http://www.w3schools.com/tags/att_input_autocomplete.asp https://msdn.microsoft.com/en-us/library/ms533486%28v=vs.85%29.aspx |
|
CWE Id
|
525
|
|
WASC Id
|
15
|