|
1
|
<html><head><title>Burp Scanner Report</title>
|
|
2
|
<meta http-equiv="Content-Security-Policy" content="default-src 'none';img-src 'self' data:;style-src 'unsafe-inline'" />
|
|
3
|
<style type="text/css">
|
|
4
|
body { background: #dedede; font-family: 'Droid sans', Helvetica, Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
|
|
5
|
#container { width: 930px; padding: 0 15px; margin: 20px auto; background-color: #ffffff; }
|
|
6
|
table { font-family: Arial, sans-serif; }
|
|
7
|
a:link, a:visited { color: #ff6633; text-decoration: none; transform: 0.3s; }
|
|
8
|
a:hover, a:active { color: #e24920; text-decoration: underline; }
|
|
9
|
h1 { font-size: 1.6em; line-height: 1.4em; font-weight: normal; color: #404042; }
|
|
10
|
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
|
|
11
|
h4 { font-size: 1.0em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: bold; color: #404042;}
|
|
12
|
.rule { height: 0px; border-top: 1px solid #404042; padding: 0; margin: 20px -15px 0 -15px; }
|
|
13
|
.title { color: #ffffff; background: #ff6633; margin: 0 -15px 10px -15px; overflow: hidden; }
|
|
14
|
.title h1 { color: #ffffff; padding: 10px 15px; margin: 0; font-size: 1.8em; }
|
|
15
|
.title img { float: right; display: inline; padding: 1px; }
|
|
16
|
.heading { background: #404042; margin: 0 -15px 10px -15px; padding: 0; display: inline-block; overflow: hidden; }
|
|
17
|
.heading img { float: right; display: inline; margin: 8px 10px 0 10px; padding: 0; }
|
|
18
|
table.overview_table { border: 2px solid #e6e6e6; margin: 0; padding: 5px;}
|
|
19
|
table.overview_table td.info { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
|
|
20
|
table.overview_table td.info_end { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; }
|
|
21
|
table.overview_table td.colour_holder { padding: 0px; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
|
|
22
|
table.overview_table td.colour_holder_end { padding: 0px; border-top: 2px solid #ffffff; }
|
|
23
|
table.overview_table td.label { padding: 5px; font-weight: bold; }
|
|
24
|
table.summary_table td { padding: 5px; background: #dedede; text-align: left; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
|
|
25
|
table.summary_table td.icon { background: #404042; }
|
|
26
|
.colour_block { padding: 5px; text-align: right; display: block; font-weight: bold; }
|
|
27
|
.high_certain { border: 2px solid #f00; background: #f00; }
|
|
28
|
.high_firm { border: 2px solid #f66; background: #f66; }
|
|
29
|
.high_tentative { border: 2px solid #fcc; background: #fcc; }
|
|
30
|
.medium_certain { border: 2px solid #f90; background: #f90; }
|
|
31
|
.medium_firm { border: 2px solid #ffc266; background: #ffc266; }
|
|
32
|
.medium_tentative { border: 2px solid #ffebcc; background: #ffebcc; }
|
|
33
|
.low_certain { border: 2px solid #fe0; background: #fe0; }
|
|
34
|
.low_firm { border: 2px solid #fff566; background: #fff566; }
|
|
35
|
.low_tentative { border: 2px solid #fffccc; background: #fffccc; }
|
|
36
|
.info_certain { border: 2px solid #ababab; background: #ababab; }
|
|
37
|
.info_firm { border: 2px solid #cdcdcd; background: #cdcdcd; }
|
|
38
|
.info_tentative { border: 2px solid #eee; background: #eee; }
|
|
39
|
.row_total { border: 1px solid #dedede; background: #fff; }
|
|
40
|
.grad_mark { padding: 4px; border-left: 1px solid #404042; display: inline-block; }
|
|
41
|
.bar { margin-top: 3px; }
|
|
42
|
.TOCH0 { font-size: 1.0em; font-weight: bold; word-wrap: break-word; }
|
|
43
|
.TOCH1 { font-size: 0.8em; text-indent: -20px; padding-left: 50px; margin: 0; word-wrap: break-word; }
|
|
44
|
.TOCH2 { font-size: 0.8em; text-indent: -20px; padding-left: 70px; margin: 0; word-wrap: break-word; }
|
|
45
|
.BODH0 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; padding: 10px 15px; margin: 0 -15px 10px -15px; display: inline-block; color: #ffffff; background-color: #ff6633; width: 100%; word-wrap: break-word; }
|
|
46
|
.BODH0 a:link, .BODH0 a:visited, .BODH0 a:hover, .BODH0 a:active { color: #ffffff; text-decoration: none; }
|
|
47
|
.BODH1 { font-size: 1.3em; line-height: 1.2em; font-weight: normal; padding: 13px 15px; margin: 0 -15px 0 -15px; display: inline-block; width: 100%; word-wrap: break-word; }
|
|
48
|
.BODH1 a:link, .BODH1 a:visited, .BODH1 a:hover, .BODH1 a:active { color: #404042; text-decoration: none; }
|
|
49
|
.BODH2 { font-size: 1.0em; font-weight: bold; line-height: 2.0em; width: 100%; word-wrap: break-word; }
|
|
50
|
.PREVNEXT { font-size: 0.7em; font-weight: bold; color: #ffffff; padding: 3px 10px; border-radius: 10px;}
|
|
51
|
.PREVNEXT:link, .PREVNEXT:visited { color: #ff6633 !important; background: #ffffff !important; border: 1px solid #ff6633 !important; text-decoration: none; }
|
|
52
|
.PREVNEXT:hover, .PREVNEXT:active { color: #fff !important; background: #e24920 !important; border: 1px solid #e24920 !important; text-decoration: none; }
|
|
53
|
.TEXT { font-size: 0.8em; padding: 0; margin: 0; word-wrap: break-word; }
|
|
54
|
TD { font-size: 0.8em; }
|
|
55
|
.HIGHLIGHT { background-color: #fcf446; }
|
|
56
|
.rr_div { border: 2px solid #ff6633; width: 916px; word-wrap: break-word; -ms-word-wrap: break-word; margin: 0.8em 0; padding: 5px; font-size: 0.8em; max-height: 300px; overflow-y: auto; }
|
|
57
|
|
|
58
|
div.scan_issue_false_positive_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAQaSURBVFhHxZdNbBNXEIDHa8d/guCUJDLCoEKiHkJVELQKRYpAQhyqCjiBOICExA24kAOIA4WcCiKppR4bbqWoDQeCkBCQVkFABOGnEIJDI2IEQQHZwbjYsfy33sfM88T2uv5Zi6R80Whn5u3MvJ19L34LRvH5fFZVVb8TQnRrmvYnyiuUGEoK5S36R1B+RdkdiUQaOezjSSQSrZj0Fy5iCJpUJpP5I5VKreU0tUNPjElOUDLOWzMYq+HlJxQHpzVGLBZbgrFDMsscgLl82MmVnL4y1DYMeMOxcwbmfIeXdi5TGrzh8/koXkCQ1hSX00PvHIvf5RvnE9otuTVh4iv4Y/6uBZYFP7BpCJfFBUktCXEtzp7SWE1WcJqdYFWs0sYHPWk2m4+SLidAbdn5z87xgfCAUi1ZIWfbzsKD6APwvvKypzI2xQYbFm2ArhVdmQ5XxyqTyTQuB3C7naHepLW0WDO8RsBfkJOR6Ih4MvNEytjMmBgIDYh9Y/vk2JXQFQoTM+qM2OPbo4s7PHFY3Pr3lhTvpFcsvrE4N+YcdIqLwYtnZHGMt2FLYjITsm1kmy5RKQbDg3KMJjVLz8seXRzdU8i10DXd+K7RXVTTpuDTf4+tcMrZIB67h7XyeGwe2NG8A+rN9ewBsCt21kqz5bMt0OJoYQvgReKFk2oruBg2s88wrY5W6PuyD5bZl7EHoMnaxFp5KG4WmjDVVrAN37LPEFPJKbgXucdWbUzEJ1gD2Niwkd7vWgXbn+9LCWibFdL7uhf2Pt3LlnGuhq6CP+6XeoOlAfYv3Q9Yu82Cdv5FIk11+lYee35M7mFCExqcD54HxaRIuxqPoo8gkArA0Psh6J7slj7Kf2n1JWi2NpNZXzUTBeOKhv7pfjgXOAfP4s94pDo9kz2w9fFWeXVb3XDQcxBG20ehvb7gJwHfQwIlx/Hnx3XbJZgM8kiWA+MHRNudNrby9AX6dHHF27AMCVqEYzwXQ6y0G/tVNQLWfkiL8Dbbhuhc3gm+dh9bHwfW/pvWwPWsmaV41c8z15VAIHAZlVzVSCbCWm1EVH1csV2CJNVW3G43nWx/ZydMp6ZZy5LQEqxVprhz1SZANam23IaKovyICyJDOv2nK2Q4MgyqUNkqz/3ofday0P+Acq+Tlj8e8U+TnjuQuG+6b6RFuiOUDrEnT52pDg4tPwSnWk6xJ88R/xHoneqFsBpmTx4T/m1v3A4XvrrAniz49F78HegkPTeBdYPrGvvX91/GU8s37NLhUByw0LKQrTxRNVrxRESnIVediy3JY5T1uAP+G4Sd+XSH0lnwWP71fEwCc75Lp9ObuExl8H7qxFx/mHzB6Y3xST/NCqF3hgn+/4/TYmY/zzHxz1iAPs+nqBAKPWUYL6M49hvqNXyeA3wAUPUS+7uslXoAAAAASUVORK5CYII=)}
|
|
59
|
div.scan_issue_high_certain_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAL3SURBVFhHvZfPaxNBFMdfN8ZQLTlEghEKFSNWExApFfEmeBL/gOKp9/4F8ebNW/8A7wW9F9RTe6iUerCkND21lzaiBi0YEUyjGb9v9226m7xNZrbiBx47MzvzvvPj7ezMBFnSIDo/S/QwAzNEd1CELBVgWVgbjj7iuQN7+4PoTZ7oK9Jn5xfRdQi+6MEhnmbIKhVjlpYCKxT8MtQ9+UP06oRoTty4wyOGk2fsbEg0kzFmYcGYtTUTo1qN1UPbHp7LsElxa8dPoito/C7qrG/T08YcHoriAPxOaQNfDczkNXE/Gp42NPikOfKNR5lELqe3gcHnMZ73REYHFa6OFGcrl0VtgFZLrx+3FseUyMXhNYf4e6VR3HiUGhwPWv1hq8P6MeHJk24S1fAp3ZVsMp0OUbMpmQgHB5IYy20M9Kmkgw7wtCBR80tsODqSRIQG5tASDLQWLoXfAewkLG7/qWijtZ8B7kBWNMnDeuRQ8MR/Y4s22v19SdjBmqztYbN5jMwFKbfjbDHgw5qs7fHeLmX2DIpxhzg4HWFtXoL7krdncAkcAjAKtOc8TEVZ8va02/Fl2NuThBvQrvBXgD9nCqKjTjkDIN/fiJz5BzPAcAfco4eJfnbaxmRHh4MwXffDGRiMBwegvc1BuCl5N8JP0XEDigLtD7wE60HWEZ72lRWixUUpSMX6xGeii5eJviGTC8r+G50vRJe8Ek5g+D2+lEI3JvH/KmMb4V+LI6zJ2n4GwTCLgt94ageIYSuVjFldNabbDQ4ju7vGzMzodRWDVg+fXtUXD8GP4blWWbWtrUA4Sr2u11UMWssiewr2MrsjGZ98k8jn9TZxix3JYuDF+EPpqA4Ui3qbU0s+lIbgWD4/thMplgA+j7tED0RmNGjAM6FfTNg4CDc2RBmMCUL44ovJDXFvB8dE4tUstKmp4J6Qzarv0Tbd1SwKrxkcJF9OFeNOo/NWl1Nsx3bwjPD1HA0e8UECRbdgRdg55L9DuAnbwd7+2v56TvQXGcdZcmkc3RsAAAAASUVORK5CYII=)}
|
|
60
|
div.scan_issue_high_firm_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAALmSURBVFhHpZdNaxNRFIYnCTGokI2WIqQgtrWQQhfFIpZCA67EX2Bx199QcOHCnRvpQrpyZRGh/gcX3UjBhSI2brooVKyJmEoDgUy+ru87c4ZMJjcz904eOM25X+e9n9N7HVOq1eqVXq/3SCn1ajAYfIT9hLVgHdhf5H+DvYM9bTabN6XZ9LTb7QUEfSMi4xwfK7W351uj4WWxU/1+/0On01mVMPZwxAjygsG8qGG6XaUODpSqVJRynKGxMyHQdoCfXdhVCWtGq9W6hbafvChRzs6UKpVGhQNjmQbEqmIm70j4eDhtaPBb2o7DUerEae22VBoHMS/wc19k9KDC7VhxcnKiF5+ZkQqx/OGeErlRuOYQ/ywVJ8NR6jqwuSkVEuFpGd8T3HB+uQG6PbC9LYXJQOulyDpZ/uG0ZDKZ516OCaWSOCHKZXGSgdYO+rFE3+tAPp9/hswcfSMWNMuoy5sAtbDcO/Sz6EkBGU+8ElN0o52fF8cMalI7i/V4jMQ1yTdjbk6cEBYzQKhJ7Wwul3soeeZER8t0oSAJc6jNJXggaXOWl8URomlDoL2axVTYLR4pFkdPguX6B0C7zFOAaCkIjzrlDICidwxTEZ4Bi29AFHbA9V1LwtOu+zCZ4XIT/pCEHcFR5H7QHUsDoP2Vm/BI0nYEM5ByAxJof+ESHPpJSxYXHWdry3H29yUjFYeZWq12fXZ2toGE/ZdkOtx6vX7D8/BJfIv1sKfZ9C8orisZ5lDTEydIL+G/U88vMuD8XKmNjeFdoFxW6vRUCpOB1sB13dGPBy8JUp7M2troZYS2siKFyUBrV2SHGF/JePONigd2eSmVYtFfyQgKki+lcR2o16XSRCZfSgNwLb+X2IkUS4CYF91utyIy8aA+Z0L/MCHchOvrQ/GETYhYfJjclfBmxD7NAhKOIdqme5qF4ZohwOTHqQZ2Gp2f7nEaJXieI/BrCPB5/otCMI7yH36+o+w9fIvnueP8BxSS9SUfeqeFAAAAAElFTkSuQmCC)}
|
|
61
|
div.scan_issue_high_tentative_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAOISURBVFhHvZfPS1RRFMfv+KMxE1MMJHARTaXkLpDEhS5CsEUbQxFxE/0BEkgLEYo2maSL0I0EBhoULsKFIpLoJoUEJWICsUWQ0Uxm0jBjM+PMnL7n3TPOvN6bH2+EPnDm3Xd/nO+5d+69716VL16v91QsFrtJRE8TicRb2FdYCBaF/UT+B9g0rC8QCJyTZjlxyTMj4XD4ktvtvg/HnS6Xq0b9+aPU6qpSGxtKBYO6UkWFUlevKtXertTZswp1j2BvEPAjtPXqSg7hHsfj8YfcQzgjCgaJ7t0jqqoiUtCws/Jyov5+osNDowm3hY8nSJ4Wt/kRCoXOo/E7wwuzv090+bK9qJ21tBwHwcCXFyN5UdxnJxqNXkOD79JWMzdnL5TNeCTSgM9feFwXGXtQ4YJFnHnwIOW4tZVoeJhoZESLeDxm4aS53XrkzPzgOSVyZvg/h/h7qWjmxg3tdHJSMtI4wnzr6bEGwLa4KJVM8GqxzgmecLr8H8Jh3ZumJsmwYW/PPoBpXpVWoPVYZDU8LOh9TMrNrKxoZ1NTkpGBujprAGtrUmhGtOpF3uj9c11kw/Y20fi4XobZqKw0i1dXZ23DmoY40m5EFNLZBbKwYBZnGxiQQntE062wW3XqrALhXjY0mMV5zzg4kAqZYW3Upgn9WiC9vVbx3V0pzMmEwlBsyotzRkfN4s3NTsT5b1hHK/qtXx0yP09UXJwS7+rKPVGt/OYAnOPzpT5KLpfeGeNxKXRGYQHcvavFS0uJXr2SzMLgALDVOYQ/uxwA9/xkhIvw88nYEJxQUqKfd+7oZ4FAe6sIp5x1ec+ftjZJnAxobxbhifOVQ4aGlPJ4lNrdlYyCWXX5fL4ztbW1+3hx67z/RsTv99cYKXwYXhhT4j/CmoY4g/d6+UTmZmuLqKND7wO87c7OSkH+QCsRiUQaRV7DhwQpz4zfbz0V80a0vCwV8gNaYyKbIuuRLAmfC9LFk9bXJxXywnQk41Vg0NjYGMWy6EahT7KsZJr1gYAkcrKHob8NHdxuNMcBMCj4gm/0rYxB8M3HjpYWSWQGPg/gu7usrOyzZGUGlfl4nrqYpDM4qP/35PDzMT3tEmIHfPHF5Iq4zw/L1SydnR2imRmipaWsX0G05ZU1BnN2NUuHT8xwMAlnfAPOCw4awb+2LLWTkLyew/EzCPD1/BsLwRLQPMDjI8peIu3geq7UX+xyemrcb22vAAAAAElFTkSuQmCC)}
|
|
62
|
div.scan_issue_info_certain_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAMwSURBVFhHvZdPaBNBFMYna/7poRBrSoQeihFbkpsXT4VeRTwF2hw85Oyth4DgQU8tRisijQevYlDBk+hJaHOQQoWKkUhKpQiJaFFSCESbkGT83uS122ST7myq+cHLvn0z+763O7OTHaFLPp/3NhqNy1LKe61W6y2sCKvC6rBfiH+EPYFdq1QqZ/iy47O3t3ceSR+ziBZUVLPZfF6r1aKcxjl0x0hym5Jx3gMQl6lUSk5NTcnR0VE5Pz8vUSi3mnAhd+Ce5LR6VKvVs7j4XTuNlYWFBYluHZZMJrnVCnLlUeA59LOnXq9fxAXf+dqeBINBSwHj4+Pc2hvkLONwCX07MPioQIcJt9v92uVyhTikDcabvd4gZwCHVzSn2pE2BwXQmKOAFzriGHP2TBKJBHtHEvT5fC+hY50TNOHQoMX+JAyHwzIQCPSdhP3A9YssK1z0Q4/F6/UWcPcnVPQ/QzVAKwrbVEPg8XhuDEucIC1MyqTyUY0PVkbwlGodEtD8Dc3TBsbjynHEi8WiWFpaEnNzcxzRgzSVNipJ4/x6O9yfcrkscrmcKJVKSrRQKIj19XV1JLAOqLhDHgmMxQaKsCWdTlsWn8MWiUS4pz7QXjPwKMJIYMv09LRYXl4WeP0ExDhqMjY2xp4+0I7QZHBMJpOxPIGZmRludUbHUqwLlmv2TEZGRthzBhVw9CKuCZZY9hxRM/AUPvOJNoPebTfQ/kCTcI3Ptel1t4MUBe0NGoLV9unxGHAIVo2dnZ03cBzNgwHFuqmRthEKhejL9hkHtfgXc4A0SVu9hoZhLGJCNFWLBnZfP3bQ+49P/LvkqwIwGTYRUwEd8N3P3mBA6wGGMU/+wUKEP5VbaHjPp45xUFQOT/wm+2YB0Wi0jicxiyJ+cKgvvcQ0h+Un+sWg84fPzQIINHzF2Fy1K2J7e5s9k62tLfZ6g5y7yD3r9/u/cKg/6DyBWdqxMVlZWZHxeFzGYjGJt8DyZ0Q2OTkp8WEis9ksX9UGuWhjcgF99Onemtl9Dxw26svCDRzuw5xtzQ5DX8xIMPzNaTf723MkfggB2p5/IyFYC5q7OHxC21P4DrbnQvwF214N3RLEYxoAAAAASUVORK5CYII=)}
|
|
63
|
div.scan_issue_info_firm_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAOPSURBVFhHxZdNaBNREMdfkiZp0lJoiBBLDwU9Jf1AK5WGHupRpAcRe7Kn3rz3IArtTUFLRdCDB/Ei+HkScxIqPQmGRFKaJmkQqVVSTJNSGtPEJvE/L9MN+dh0k7bxB4+dmd19Mztv9n0IraysrJj29/cvFwqFB/l8/iPaD7QUWhYtjubL5XLPcP/Gzs6OnV87Ont7e2fR6VNygqsmKCgE8yqTybi4G1V0fK2CvtjpdM6ivxmdTmdkswSdC6/XK8LhsEin08Llcgm32y30ej0/UQTv/kVbgH0OfaTZXEbNAFKp1GmLxfIWL7nZVMbS0pLw+/2sFRkZGRGjo6OslYMggtlsdqK9vf0bmxTKQwZ48Dyc+9ScE8gOSyWCwSBL1aAvp8lk8iKQi2xSKAsAD/S1tbV9wAsONmmGhqUe6LMbl/dUU0VLESUAGnME8FqLcxrzSgYGBliqyymz2fwOfiysl2oAXzCHYplltS4HRbi6ukp/iejv769ZhGrgL7lnMBhukSwDoLRgjEL4egPpJw0ykIMvF1pYhmw0Gu+0yjlBvpCFGSkjGhuuv9DMZGgV8PsHgdj0iOQ69KadY9oVPp9PeDwetmgDzq2opSuUgcfQbxbN6lCxxeNxsbu7K9vW1paIxWJie3tb3u/s7BTT09NSboAnOmSAJp1zbFAlEAiIxcVF1qqx2WxiamqKNW3g4z/r4fwM63Xp6ekR4+PjYmxsTHR305xSjtVqZUk78O2kv6CrqNbHbreLoaEhMTw8LAYHB9laAtM3Sw3RpW3mqKCjo4OlEphHWGoMCiBTFI8GZjaWGiKjRyGoL2MqNPu1lcC3n4rQx7pmmvzaKsg3TURfWP8ffMICpn8D4VjqoEEym5ubHhqCBLLwko0tg3w6HI6U/A2RhbsoiPpbmmMEvgrY4t8nWQaALIRhk4ZWAF8PsTOSG0tlIgqFQrQF11SQ2Liy1BQBZPw2y6UAsM/LIhOTCCLGJlVqbUAP25Qyv3FYuQY/yhlBCYDAje8Ym4nDgqDluJJkMslSbdBnEn1P4mwQZZOk5sEED/ehvUBAytlgY2NDLC8vU/WK9fX1msNAqyQtWrRY9fb2slX2RweTq3AeYZNCWQYOoExgx3sJ4jyanCMSiYSIRCIiGo2q1gBlYW1tTT5LwDGNywL6u1DLuSZO+nCqmYPjOTp+BAd0PP9JjtDy8JnE5SvuPYfcwPFciH+oJiV1ec52uwAAAABJRU5ErkJggg==)}
|
|
64
|
div.scan_issue_info_tentative_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAANQSURBVFhHxZfPaxNBFMcna5s0thRsYn6QS0GhkJwUQfDmUaQHEXvyL/DuSUEvUkRFEfTgQbwI/jyJnjx4FJQohqSpiBgkqWnS9GfMr6br982+7JLNbtxsa/zAsG/ebN578+btTEY4JZ1Oe7e3t0+pqnpzZ2fnLdpPtCpaE62Mlmy32w8xfn5jYyPIP9s99Xr9MIw+ICd4OoKCQjBPG41Ggs0MDs0Ytq6RMc2sAXTq0tKSurCwoKZSKbVQKEidGQ7kOkQ/m+3Bw88uqtVq1O/3v/B4PCdY1QUcilKpxD2NcDgsIpEI97pBAJlmszk7Njb2nVU6Cj918OJROE/aOSdWVlZYMqhUKiz1Altxr9f7EYEcZ5VOVwB4YXpkZOQ1fmA9lT7gtyxZA5sH8HhFNaVpNPQAeM2fOXEeCARYMrDSWXDQ5/O9hJ/emkCxXMWAIzpFmMlk+hahHfA1z261IqS0YI2ymP0+qf3HUAzwlUBblEswOjp6eVjOCfKFjF2UMqKZwrOA5iPFsIDf3whkSkEk59B37RyfrVheXha5XI41zoDz/aiF05SBe+hf0NT24BygWhGtVks6JblWqwlst3Icyyji8biUB+C+BxmgTecIK2wpl8sin89zrxfscmJmZoZ7zsDk3ytwfoj7fRkfHxexWExEo1GBb5m1BtjAWHIOfMfpK5jUuv3B9iyCwaAIhUKWm46bAMBkz1ngBFpvM4riypTcirUq2iUuA2goKIQMdxzjdrZm4PsTFWGS+47ZqwDIN21EH7j/P3iHySjPIexJHQxIo1gsvqElqCALT1g5NMgn/sJV5WIiC/MoiLYcGQLwpWJrv0GyDABZWIROKoYBfN3BbpomWS/nbDZ7BQOOChKnGEuu+IKMX2LZCCCRSDSRiTkE8YtVttDJaAZrylJfSjg9z8JPjftGAAQGfsD47N+CoCPZTOdYtgM2V2F7DqfmN1ZJLC8meHka7TEC0u8GW1tb8j4Avdjc3LScMZ2SdCzToTUxMcFaaY8uJmcw9pVVOl0Z6ECZwLXrJMRbaHJq9AdkbW1NrK+v26abskDj9C4Bx1Qst2HvmJVzR9A/Zhga/uXUTOd6DsN34YCu53lyhEYXglU8PmPsEeQBrudC/AFTuKzU4nNa5gAAAABJRU5ErkJggg==)}
|
|
65
|
div.scan_issue_low_certain_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAPTSURBVFhHvZfdaxRnFMafeSe7m0Sb2mzXGGqaFgOhadESqzWCoASxojFUIWAv0uv+ASklLW3oTS960dJ7bwTBBkVsiB9IQLzQi0bTBBqwTW1oDIr5otF87uxMn3f27O5sdnZ3JkJ/sDvnnJnd57xfZ97XQED6+xBta0W7odAOB+/DQDOvtbxGeF3kI9O0xxzg5vIibjR/gtn0L0tTNoGJq2iqUvicf3zaMBCXcJaKrS2IxQ+79sqTn2GvzzEfJGHjSgr4tvEUfndvFqFoAm6L96KXor18KCLhNIaJyu0nUd34GWKvH4XBbtE8u/MerOc5PZ2I4+AHrKCvoYvfPvgmMHkZ9RUxXOLNgxLKoip3InHwLsyqBonkeDrUAHv1sXh5jFtAR+NJPBI/Szp1D5MDaDWjeOAnrlGRV33FNfb6jFgFtJgOhqcG8aH4WfIS+PsK3jKBQWVgh4QKcFKrYuVjW5yH9pp4hXAoX1MOBvSckpBLNgE95pEK9JcS16T8uxippQmxSpKoVLg81Y8q8XMJyITbJ25x2Eq/JKzlv8QqDTV2qyp8LW46gSl2C8f8KzcSgNTKlFg5vLO/HFwdPdNXWUeIm4Ay8QUz4/AHw6+1ycURscrjapno0bb68xpiXKtn3TsB8WutFWwOZNGaWltVJnGCGVVLPBAvMwcyaE2trdj97RILzEYx1y+xBIuhtRW7ok38wGwcgjAT0Au1WxW7Ypf4gXFYdLzDELb7M1C7Ra+CmrQbDm+rN9sDpCZbiMJieXog+WJcrPCwPCP87CHe0utXmIKgtRW/N5V+Zg7ol1CRV3B5HIzoSXhP3FBkJl7Al5Av1H6gh+C2+KFILf2B5ekLWBj9VCLh0drG6Hlsiddiji+jmMT/F/T4z80jrvZ0Y4n+xXQ4HIa5FWY1y4iRv2UMyEWt7S5DI4XvWJW4iQ2GitYhvv8G6j96jrojE0gcGuE2rVHulodaTsrG99p2E3ijEw/ZJW4gCNv2nEMscUw8bplfeRe1H/wiXgAM/JjZrmcL0b37+IaZ/SpuUVQ0wS35CfFyRGp2p4ejDNQYc5bxpbi5BLr6sJ600GU7eCqh0Biq7DyeWbVxxntGyCvFb3+MScdGR6kk9NZ7bfaWeDmSi2OwSpRktnyB/9vV1Im8wpGXgObNTgxbFto4J+5KqICF37qZxJB4FOfLaH74lHi+jK8lcaCho7Dm+J6MNCWPZoJehipWx3fBP2xiUqI53JVl4Cc95qGOZl7KHU794LMvfzjdSOZ4TvO43kjw+g5/naBaBe1/+XlM4THGrgc/ngP/AaoMYrity1oNAAAAAElFTkSuQmCC)}
|
|
66
|
div.scan_issue_low_firm_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAOzSURBVFhHrZfPaxNREMc3m82vGhPbUow/CoKlwVaLVIvWi2gPIlIQxNLe/Cd60aInD6KI4E08eBFUFAQVepDSgxTE2kohhZZS1KIGUtsmbZLuZpP1O5vpJmm22d3UDzx2Znb3zex7896+cQk2icVi3mg02qdpWp/L5TqJFoXchFsetBTkn7B9gzyWyWRGQ6HQMr23azY3N9vy+fwTVVWXcdW2N3ltRltffKw3VUnpNjyroL2UZbmTu3EOfTE6u0udlTvUHeQy2sbScy0xcV779V4wWi4br3wO7+ZyuXtLS0sB7rYK0ylIp9MHfD7fawzpOTYZqBuzwsrni0JBSbClxP5LGcEl+lgrUSgUZhFQv9/vX2STgchXA0VRuuF8ysw5oRVkU+cuKWTqnBBFsUOSpEn0fYZNBhUBZLPZI3j4A5xH2FQFOTJD9LawZA76bHS73e8op9ikYwRAc+7xeF7Vck64/YdZqsTdcJSlmrTAx5vynDACaG9vvwnnPazuCA2zaBLEToGZ0BWJRG6zXAyAhgXOR3SLDcycScEOlqyBr2H4jJKsB4AEGYHRTbIdzIbbvadiamtCvuBzmGQxmUw2wTCo37GJ2dc6GQFmCLunTwwGg9ehmK+fHXAHWlkqQitDspeEBvjoBizLKzQFXUWTfbZPgc0VUAWmoY8C6C2q9tk+3A5WQAWYgm4KwHH4Iu16ZRtSvSOAaeigAMy3NgvKnUp76/7phfRlWA/l01DHCjCgAOSi6IzyrK83B4BMAcwWZWdsbTyUC7tIwmkKYKqoOmMrB+pNQAJJOEUBfCmqzpAa2gT/wSEh3PWMLc7BCIy7aCvGbvgbuqPd8D8gJxKJZjEcDq8gkhdsdERBXRfU9AJOSQpb7EM+8VtO62dC+jViW4zRX0q/a0Fe/iOsTQ8KudVPuk7LsLFnFMl4SNetgHM6tJ7A0S+m7wM4LM7Bdl+/a4PVr1cN5wQdVJMzN1izBr4ekXOS9QCI+fn5O7hhmZDkTE1OslZC+TuGKUmxVpOZeDx+i+VSAJ2dnXSGH0AQcTY5BydmCxLwca21tTXLeikAIhAIfMcZvr9WEDTfUvg0ayW8zRdqnozR5yr6HsB0L7BJpyIAwuv1TiLKXrwwwaYqGk+9FTz7SmUDBRU+/pS1aqgwQZV0FificTZZw6XZA7RNKrPMWk5e0+TUHEq1rOl9OFXxMQ9rlWaWWBWnZo1qQjRbxanj8hziZTT6/x5Do0mXsH8kMcw/cKXy/KP98lwQ/gEfuhb/OCSbIgAAAABJRU5ErkJggg==)}
|
|
67
|
div.scan_issue_low_tentative_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAASISURBVFhHvZdNaB1VFMfPzPtMXj6aD0xbixabkthAxUJpmoVCg+AHdaG0unDjQhcuXIjR2laNushCaUFddVPBjyIV3BQtEkgWkmBbUmxJSI0Wpc0jL0lf0pe85M3kzRv/587JPOd9JPNepT+4zDln7tz/mZk7d84lv4yPj4ez2ewztm1/lsvlBtFuoaXRTLR5xH9H+xrtlVQq1SqXbYomx7JkMpn2SCTyDgZ+QdO0FttaJePOMK3dvUx2dln10YJ1FKzbQ5HWp0gPNRL6rqH9iIQ/xrXjqlMZyibAd9zZ2XkcotxCtpWm1I33aeXWWQgvSi8vWqCWah96jRo6BmDXrCdyWtf1foyxKt08lEwgnU5vq6mp+QEX9bCfM5M0P9JN2fSUOr8Z4aYeajkwqJJgkMSEaZqHo9HoTRX4D7ocXdBxH8TH1sUZc+FX3+KMuTCCp/WeeLhLTdsTDoevIJEDEnLxPAF02Ik2igu2Skix9Ec/LU19pOxw8xMUfeBZWDpZxjRlEhfIWvlLnfOgR2hrb5z0cLMEFHOGYfTgSfwpfh5+55jNl5BAEfOjvfb0BbLT/5yRSJ5cbs1Ojr2szhe2zOxF6eWBvxbn3QD3FciE2y+ui50zyMArCDXuVxOsEE0LUmPXF+J5scw5sTzsxY1+ILaTAH9qED+pIgWYC6OYhQbFHn5DIsXo4VbSozvEyxOs3SWWF2j14Sl0sK0SCIVCxxAMsF1IILodd/gl1Ww/IpHS2NmUWA5aqIlCDXvF88JaeAp9ykYmEbQkgrXqbBVk5n6m5CWemHnqHnmbGh79VLxioLkCzWbdsqzn7kVcLVATb4nnEIztprr2E+KVhjVZWw8EAr0Sq4rFa69TdnlSPEe8pXsIS/IWiZSHtXU8ioPiV8zyzVO0Gv9OPMylpm4lHog+KJGNgfY+ngN3YTc4If9kZn+i5JXn+R0oP7rtCDU9dhbLb0z5PklxArY4vrGMBM0Od8pPSaP6zgFMuj6816KVfVMqvwIs3TjhiGshanr8HNXvercqcYavMhzTP6vxc+pY3/EJ1oeXlF0lBk/CCXH8g+WXie14VR2rBdpXdXyPWGsrI9LypFj3BrTH+BUMO65/6tpPUgDrvJW5LZGqGdZmZmZibW1td+BEnNh9w0gkEi3KwpL4FX+O9xPWVOIM/A78nbLOqY0xF6/a8789bccvbrETQ7vtlfh5OeMfaOVQGXWxtluSIaMBVK/HxC1JzpylxFBHQVWsYfkdxMQ8JP7mQP80/gPqD+auHpOTkx8iucvilmQ1fr5ESW6rUr0CruFG3V+lm0BXV5eJz+IokpiRUBHlZn1hMbIBXJS+CB13j+BZP3Hib+xmDpdLgnc+peB9wGZgzAWMfbSwIvYkwHD9jkQO4oIRCblEWg9hDTgOK1/Nc5ke2/mmeKXBWLwx6Ubp53/N4TIdE7MfE8bEAB7Wlqfs9O1vUHb/ghltSbQY+bJOoblleMVwxYwBzmAw3gH7gpNG8t+vf2r/C+vbcwz8OQR4ez7NQmg5aC7gcB3nvoVdwfac6F9oIodwSlO0xgAAAABJRU5ErkJggg==)}
|
|
68
|
div.scan_issue_medium_certain_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAOxSURBVFhHvZffaxxVFMe/92azm8aQaEOaFJW2WIkmEqQQNUJByJNIFNoaqD74UAoiCAq2hDStL/2RYsQ8+C9ExFalFVHfRFChLQlEEqK0ImkCsbHRJMT82N2M3zN7dnd2dzZ7JwE/kMw9Z3b3e+6Zc8/ca+DIxKuItz6O7iqLbs/gabpa4WE3r9X8W+IPzfI6DoPvlv/Ft/Uf4i/aFakYwFofDiZiOO0BR4xBo7rzNLUBB17IjH/5FFhdgOchyc9/md7E5fhFjGZuhlM2AJnxE63o5wf6KSyzzGOqgPZjQOebeXHh46eAexNqQAJhsjCMFZwxH2FV3QWEBrDSj727LK5S+Hl15al/BDj5E9DwqDoCDNG3NKNGHmZjciOJnppB/K6uHFavOTb6cYjio6HiQk1DuLiwMq+DQjjLtngMt7yzeFZdOQoC8PqwP2bxNcVb1FVKak0HRYh4el2NUvibDzEVX0lNqcsnF4A8c68an20pLiyWptgn8OzLYtDEgv7cexe71JMPQAuuU83yyCzDgli4o4MKGHRs1uKcWpkAJC0UH/A9Lizd1UEAlwwozPIpb4B9hPgBVMfQRyfXliNhs3XNABGtTeCUjK33NhKc/XH/jiths124rQM3RFO0bboBLzGiWvW7sZMaUERTtG2VQbf63CkWu097iyVYDtG2bJddarszX/QIim1HqH3IMhWPqe3O+lLhY4iY/izUbpNVUJ8xIxKcdYQlWER9rhFFJpiBe5M6iI5lf45ePUJw2YU1JheobeVVqWY0shlYYz2EvIJdoPaYFOHPakcjW3gRG1AQao9abOJ7taOx8Bt3gCPAF2+oYxtQ28y9hweaa3CfvTGh7v8HPv8/19BoW4awwhcDd5PbIF4H7GYbsYVbRhdEU7T9Zch/l9iV0v4dF+q4ZznxA1/gy8A7rIG3xoAH9+nNyshmNZXEBzL2AzDn8atnMg4nXr8G7DusBtnTDrx2XY3KsPqHE5fhd69cI5qawvu8cVPN8siu+OFn1AjQ0gEkHJqqh3HLbbpa+QDar2DDJNHL9MypKzqxCnXsYX49haPBM0IuAMEM4o+Uh54tg5CmM3tDjQBz42W35QJ/8+8U0MuzQUHjKAhAiF/ALZNCF7/A00cZRl4Bpn9Ug8jL6JOX1SjFP5ik8Vz1+dKew51ROFsezbLIMqxrBv6Z5rpKqjOPVDu/H/1oFqTi4TQECu/8cFpM9nhuLF6UjQRdTzK3TbzGaC9SdIai49bgG/fjOfAfeU8viaUaLdcAAAAASUVORK5CYII=)}
|
|
69
|
div.scan_issue_medium_firm_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAN0SURBVFhHpZfbaxNBFMYnmzQXCy1tTavUgqLS0qAPBdH6pPgkUhSFgkXoX1EQL9VXUUTEJ8GiiIWKCiK+iEIfRAWl4iWlohRRiklrKcRGs7mt39k92WyS2exu8oNh55zdne/sXM7OCLfE4/FgPp8/rGnalWKx+BzlJ0oaJYvyG/4PKHdRTqVSqY38WvNkMpkdaPQmi9SS/Kxpb24YRV3XXRRUoVCYUVU1xs14h74YjVykxvRWreQy+N5pTbt1QNPOi3JZX+YHDDiQS6hGuNkafHytIJ1Ob45EIg98Pt9+dpVZjgsxdVCIvyvssDCZESIQYqMMApjPZrMj4XB4kV0mCl9N8OAQxOek4kRelYuH2qTiBNoaDAaD7xDIXnaZVASAB7YGAoGneGETu2ohIRmtUa7IQZsduDyhOWV4DMwAaMwRwP264kR7H1eq6Kho145oKBR6aJ0TZgADAwNnIL6HTXuom9u2sGGhXeKTsxuTc5LrRgDULRA/p3vcIAuge5ArzkBrAr3QT3U9gJaWltNw+qnuik5Jd8t8NpAWemGC6goiCcFxUr/jFtnXdm7nijtIk7QVJIojMDaw3x2yieihBwjSJG3F7/cfYp97qr+WbJscUA/SpiEYZts90aoUX227BNpDCrrC2+ARYSQj60rwOP4loD1Iq8AmtTlg/eruhn96bWYi8ow18XjIAdVQAPi7NIC122WJyR0qTcJ5NrxRWor0c7L7PzgA7fc0CV+z7Y1SDzQ4AQloz9EQzBqmR7p24rcyJsTxO+xoiFlfIpFo7enpWYXhPZM0h5pMJrv0GlLibYyHdzIpTVv9qml5lR3uIU3S1veEsPtR4hgTd3/EP7+EmBkV4sdLw45iGY4/w2roNWwHKIBcLrcLm5O4ngcg/AW+y/pdN0wfLYsTK1hIj8bZcAZa10ic6mYiWlhYuIAbb9m0h3bFS5LHFl9gZ5Nioy4fFUU5y/VyALFYLIueGEUQCXZ5p4BteX1WcFg5AZ1/bJcDIHDjO45fI3WDoLzfK9k6bsNZobWbjVrQ5hraHsXZ4Bu7dCoCIGj/jkCG8cIrdtUy9liIPsuxgSbhsSk2akFbdDDZh62f+5xT92hWwmEZ4t08LldRbI9mjjgeTiVQ0Ai+ucNpNaXjORq+DgE6ni+REEoRmmu4fMK9e6h7OJ4L8R8qPqbiZvrQ7QAAAABJRU5ErkJggg==)}
|
|
70
|
div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARXSURBVFhHvZdbbBRlFMf/M+3udsFUpJrKxSsQWjby0HhpFWkiICiBxBu+eONBHnyQxIgiXiAQA1ECij6YvkhEBILGRKMYU5UHgomaotQljSUEU9AWKMiGle6yu+P/zHc67G3Y2cXwS77Md87MfP8z893Oh6DE4/FwJpN5wHGcjblcrptlgCXJkmY5Rf9vLNtYnkgkEtfqaxWx9OrLyMjI1Egk8hIbftiyrCZcOA8c3Qsc/xlInTMPRa4CrpsBTJkHNFwNPnuB5XMGvJbvxs1D5fENQL64paVlFUWlhJBOAt+/DvR8yKj+0aeKCI0Bbn8WmLue9ehoIJtt217DNhh5KWUDSCaTE6LR6Kd86W7Xcf400NUODPe7ZkVu4GvPdLtBCAziUDqdXtTQ0HDEdeRh69WDD7ZRvMcTF/7cF1xcGNgPdL+iBr/SsmaEw+FfGMhd6vIoCIAP3FxfX/8VX7heXYa/e7RCbpoNzNsA3P8W0LEcGD9FbxTx0wfmzyls8xpevpQxZTwGrwukz1tbW/fxwTvUdZGtc4Ej3wGLu0wf55PLAJ89CfTuVEceT30DTJ2vhsdBlnbquGPC+wM64ErFMynTBZN4q1hcsOuBhe+pUUTypFYKmMlp+4bWTQDyWyj+muspZuBHIMsg7nxOHWUYw2nfOFmNPHy6h1or2N3Tpe4GEAqFVtJZJ/USGifyC98HYo+pw4dUQitKlF3ePFONQkSLf2GFW2ckEZbTdHIS10j/HmDbg2oo97wIzH9bjVKo+S81x9vZbHbhZYnLArXnBTWUpmlA56tqlEc0Rduuq6ubo77a+GIZcKpPDSLiS3/gkjxOHf6Its1f0aF29ezfxEn1iRpkMldLEW+cpI5LQ+02GQNnWW80rir442tg+2K2kjW2DNKHuE+Exxo7GAkJwFEjOOeGgC0tZlOyuJbJ5jOLg9oqWdkrUv0bQjcHmIjbIeDRHcC9L9ckLshbXGWqpJeiwpx1wG2Pm3ptpGQQHlIjOLL8Cm1LzbVGqH3A5nzkWlslt3Rq5fKgdo90AfOrKunktiHr/Nlj6qiZvdbg4ODY5ubmYRoR47tipIaGhprcGpfErTIdrySi6YoLtKdzd8qYWxX464DjfLTAcd4c5zjvTHOc33frjeBQK5dKpWKi7WVEjGg9s9eVapYneQJ4l9t4flYsC9HTTEBvvU8dlaH+Zu4D7g7mrR59fX2rGRyT/UsQ312akstCKql6cA7yQ72t0gsgFoulOS2WMIhBdZXiN+qLkxF/TvLXP0Id74xQsH7yxlGeZhb5BiEnn3LceDGD94NtnmHbS3g2OKwul4IABMnfGUgHX2ByX4T08+xVpt9HkTS9/Xk1ysO25GDSztQv+JojaToH5hoOmDQbKGS433F+/dhxDn/LIZ1VZyk6szaxmCNSLUjGzAa62JicgAMhQTP4XaNT7X9h9HjOhrdQQI7nx0WIJUfNM7z08t521qs4ngP/AVBE/q1Wmrg8AAAAAElFTkSuQmCC)}
|
|
71
|
|
|
72
|
|
|
73
|
@media print {
|
|
74
|
body { width: 100%; color: #000000; position: relative; }
|
|
75
|
#container { width: 98%; padding: 0; margin: 0; }
|
|
76
|
h1 { color: #000000; }
|
|
77
|
h2 { color: #000000;}
|
|
78
|
.rule { margin: 20px 0 0 0; }
|
|
79
|
.title { color: #000000; margin: 0 0 10px 0; padding: 10px 0; }
|
|
80
|
.title h1 { color: #000000; }
|
|
81
|
.title img { margin: -3px 0; }
|
|
82
|
.heading { margin: 0 0 10px 0; }
|
|
83
|
.BODH0 { color: #000000; }
|
|
84
|
.BODH1 { color: #000000; }
|
|
85
|
.PREVNEXT { visibility: hidden; display: none; }
|
|
86
|
.rr_div { width: 98%; margin: 0.8em auto; max-height: none !important; overflow: hidden; }
|
|
87
|
}
|
|
88
|
|
|
89
|
</style>
|
|
90
|
</head>
|
|
91
|
<body>
|
|
92
|
<div id="container">
|
|
93
|
<div class="title"><img src="data:image/png;base64,R0lGODlhuAA6ANUAAHl8f9LT1P+ymaWnqf+MZldbX/T09GJmaenp6oSHit3e35udn4+SlP/ZzG5xdLy9v8fIyf9wQP/18rCytP/i2f+Wc/+DWf/Pv/95Tf+pjf/Fsv/s5f+ggP+zmf+8pf+fgP/Gs/+8pv+pjP/s5kxQVP9mM////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAAC4ADoAAAb/QJNwSCwaj8ikcslsOp/QqHRKrVqv2Kx2y+16v+CweEwum8/otHrNbrvf8Lh8Tq/b7/h81RCYMBwkAhEEAhcbThYliouLBA1EiRlJFSUCQpSMjBEch0MNmZkEGkYGCwckqAUJDwZDCSQLSQskDEKADAgFqLu8vAu6vbwFCFZ8AwmnvQKZgxkaFEmgoKNCigTRikIR0prUJsvcjRJDEMDBtK27SeomqAAB5/HyuwFUyPOB4dYXRvqL0CasYStRzZ+iR98UDSLAkCGjCkIU9HIAiNeEdqjWZcQIwEACACABJOtVYJa7kCgTtJqCDxW4RR0CMrJUZJGRDYlKcCh4DYlN/5kEjTTIiUEIOJpEJHBY9AhAKlZCDDxI9gAjCY1XORqBRwJAEa5eu7TMxyhmJqRDfha5oJDnwIJBjVD4l7ASEgKKKkhEpeCIgr5WsQpxt5UwEbBexr5UZHZmv2xHfgr0CVmtEUyWjiJhWyIC4iXsjrAzfJi0kM9cFDPCIEHC2cdxa1Yu0TPy7NhFNGumXIJrAiahjYzuWph4aeOpW76MQEFCzkVo4R7ZIJn2W6BJPtndbbvE3mGgN4reaPp0edRbVHdu/hw67CMZ8rrlLR2JbkXRidhMdgAwkuBFDBfWcQOah1x6yh1kAl6g5AedABBCuJSCMtX2HnZIYFZXfkJwFv+BCVyhMoBg/5F3oIEFgoiKAwG06CIWqoUgm3szhiPJfN3VJxdTG94lnwnl7OKAf0QAWKSJKap4YojB1GKFag0RAAJQ+MEWzk44XrjIOEU0sE0JRfVYhFKLeIOAU7uMGKB4wiFZXIpM9pJkFOrBRKVdM0YY4XM3TpbjneHwU5c/FhgxgTlDHpnVeFmVpyScqaAEUj1PJliWCR2E0EADGDgIWRETlnCIn1oa5M1i3FjAZRFn8qJmYCU2euKjXzkKo6WLfLApNB/gqd+nRTAoCakzwiUNBhl0YpQ+oixx6C5OGjmEgG/WOuut+KAqnwhVFnsEZ9cQ+2tQlmESJhHcSdH/KioXSTuYm9ZCeu0VdS6iKgg0jvuWuGndRgR13Q6R7hQMoHIArIy+myR6tIqFq0IjzJVvv7jpq0ih9GEosEKrimlFMnst2qasC59nK70PlxDTlwFTjATARW35rSJhWmaCBF/euKyvVaAZIjFGIEBtvEQ7nG0mjU2sYxEayJcTh5hgabMJHiyi7MBSGABMAGg6WYRJYTnKMMNZ1KvynZ5WfDMGinhANV1ENE3h1Cawbd3OHAZN5BAepWLCA7tURQTgqAgutsnzVno0IwT06tiMm0begAZ2RzCOBHZX0oAEDWByt8ZEaFcCQlgbAYHBC0BQTx8jqVkRLQEoAEHBBk87/+vYK7qoO6VUHPP6OdouMogACI2rj6AmUMAyKKq6fASDGJdexAAtea2AOcEU4N/hS+JTwEpW9PGHMpoQYogS/kSAvBAUtLdIBR1/iYTEQUlPhEfYC/OqEOvKCbTC1TrOPHinhQA8YAEA0EAFiNexJWQgShD0QAOHcAEONCQDxRuCBwigMyNs0G3JYwhAmhCAY4QkARMAXxFmFxIGEFAIH9lfVD4CAVZJ6oa/0YMOd8jDHvrwh0AMohCnYAAV8m+IQ0QgSFZhgjOFZAH+GQBIGNAKBUgKARCQFJD4MyID0I4ECUCAFSPyEQDU8G9eOxP4BnBGIZgRiWIAgAMGIEUSDP8AHiEpAHhewYBfOEBFC6DjAAxAPUGOqAAOeMADEvAb6i0gAAhU3VVycYA6VoV6goMHpQxAgj9OS4Zw5AIAXiVHTfKPBBMQ2kVU9AB4TE9kpiQCSGplAgZ8D4YHo94BWhFLwv3PjqEEwyiHQL1YmqCS8PjlHUVmAuoRQWgdIULB2qgiE8xSCM4cgC5GFEsGHKAknwzmF4YJQxaRgFKqdOUn4RFINVFvikIAXAHaaABAqMQ81hyQK6UIgGHEsiTeDKc4uyBHOjrlkbQYgClIgAB1DmaZIcFmVwCQQxMowJ5rJME8q3nNakpRaC48J5BIIDuSPnSgBD3AE/nQyVOwqJr102olM515BOp5MiKAkGQ+h7BPr8yimCb4hRDA2Q5QotQK5OSpSA9wMBWB75wOlWgSjOnGd1yloxO4ihRNoDVd1OObIClAU4F5VC0k1TyrAyY8BCe0Fs2UmUTIKpEMcIAEuBIZKzFFM8OS1XNKhAF0LFhfyFpWLJxVRZTqZyscUABFfpOlrxTkBCSiUqf88RUgOYVOT2fGWcRiq0I4RR9IAL4DxKIrhjRiYZ9wWIkALRd9saLB+hJVE/TVbxNYqUUZsMQaXi+ewFhAKyZQ0WQuoKLNrEVlQ/K/1Tr3udCNrnSnS93qWve62M2udrfL3e5697tjCAIAOw==" width="184" height="58"><h1>Burp Scanner Report</h1></div>
|
|
94
|
<h1>Summary</h1>
|
|
95
|
<span class="TEXT">The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
|
|
96
|
<tr>
|
|
97
|
<td width="70"> </td>
|
|
98
|
<td width="90"> </td>
|
|
99
|
<td colspan="4" height="40" align="center" class="label">Confidence</td>
|
|
100
|
</tr>
|
|
101
|
<tr>
|
|
102
|
<td width="70"> </td>
|
|
103
|
<td width="90"> </td>
|
|
104
|
<td width="82" height="30" class="info">Certain</td>
|
|
105
|
<td width="82" height="30" class="info">Firm</td>
|
|
106
|
<td width="82" height="30" class="info">Tentative</td>
|
|
107
|
<td width="82" height="30" class="info_end">Total</td>
|
|
108
|
</tr>
|
|
109
|
<tr>
|
|
110
|
<td rowspan="4" valign="middle" class="label">Severity</td>
|
|
111
|
<td class="info" height="30">High</td>
|
|
112
|
<td class="colour_holder"><span class="colour_block high_certain">0</span></td>
|
|
113
|
<td class="colour_holder"><span class="colour_block high_firm">0</span></td>
|
|
114
|
<td class="colour_holder"><span class="colour_block high_tentative">0</span></td>
|
|
115
|
<td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
|
|
116
|
</tr>
|
|
117
|
<tr>
|
|
118
|
<td class="info" height="30">Medium</td>
|
|
119
|
<td class="colour_holder"><span class="colour_block medium_certain">0</span></td>
|
|
120
|
<td class="colour_holder"><span class="colour_block medium_firm">0</span></td>
|
|
121
|
<td class="colour_holder"><span class="colour_block medium_tentative">0</span></td>
|
|
122
|
<td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
|
|
123
|
</tr>
|
|
124
|
<tr>
|
|
125
|
<td class="info" height="30">Low</td>
|
|
126
|
<td class="colour_holder"><span class="colour_block low_certain">12</span></td>
|
|
127
|
<td class="colour_holder"><span class="colour_block low_firm">8</span></td>
|
|
128
|
<td class="colour_holder"><span class="colour_block low_tentative">1</span></td>
|
|
129
|
<td class="colour_holder_end"><span class="colour_block row_total">21</span></td>
|
|
130
|
</tr>
|
|
131
|
<tr>
|
|
132
|
<td class="info" height="30">Information</td>
|
|
133
|
<td class="colour_holder"><span class="colour_block info_certain">9</span></td>
|
|
134
|
<td class="colour_holder"><span class="colour_block info_firm">1</span></td>
|
|
135
|
<td class="colour_holder"><span class="colour_block info_tentative">0</span></td>
|
|
136
|
<td class="colour_holder_end"><span class="colour_block row_total">10</span></td>
|
|
137
|
</tr>
|
|
138
|
</table><br>
|
|
139
|
<span class="TEXT">The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
|
|
140
|
<tr>
|
|
141
|
<td width="70"> </td>
|
|
142
|
<td width="90"> </td>
|
|
143
|
<td colspan="6" height="40" align="center" class="label">Number of issues</td>
|
|
144
|
</tr>
|
|
145
|
<tr>
|
|
146
|
<td width="70"> </td>
|
|
147
|
<td width="90"> </td>
|
|
148
|
<td width="125"><span class="grad_mark">0</span></td>
|
|
149
|
<td width="125"><span class="grad_mark">5</span></td>
|
|
150
|
<td width="125"><span class="grad_mark">10</span></td>
|
|
151
|
<td width="125"><span class="grad_mark">15</span></td>
|
|
152
|
<td width="125"><span class="grad_mark">20</span></td>
|
|
153
|
</tr>
|
|
154
|
<tr>
|
|
155
|
<td rowspan="3" valign="middle" class="label">Severity</td>
|
|
156
|
<td class="info">High</td>
|
|
157
|
<td colspan="5" height="30">
|
|
158
|
<table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP8AAAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjY0RDFGNDAzODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjY0RDFGNDA0ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6NjREMUY0MDE4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6NjREMUY0MDI4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP9mZgAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjY0RDFGNDA3ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjY0RDFGNDA4ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6NjREMUY0MDU4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6NjREMUY0MDY4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/MzAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjg0Q0E0ODg0ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjg0Q0E0ODg1ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6NjREMUY0MDk4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6NjREMUY0MEE4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td></tr></table>
|
|
159
|
</td>
|
|
160
|
<td> </td>
|
|
161
|
</tr>
|
|
162
|
<tr>
|
|
163
|
<td class="info">Medium</td>
|
|
164
|
<td colspan="5" height="30">
|
|
165
|
<table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP+ZAAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjg0Q0E0ODg4ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjg0Q0E0ODg5ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6ODRDQTQ4ODY4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6ODRDQTQ4ODc4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/CZgAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOjg0Q0E0ODhDODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOjg0Q0E0ODhEODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6ODRDQTQ4OEE4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6ODRDQTQ4OEI4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/rzAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkI1MDMwNTM3ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkI1MDMwNTM4ODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6ODRDQTQ4OEU4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6QjUwMzA1MzY4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="0" height="16"></td></tr></table>
|
|
166
|
</td>
|
|
167
|
<td> </td>
|
|
168
|
</tr>
|
|
169
|
<tr>
|
|
170
|
<td class="info">Low</td>
|
|
171
|
<td colspan="5" height="30">
|
|
172
|
<table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/uAAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkI1MDMwNTNCODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkI1MDMwNTNDODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6QjUwMzA1Mzk4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6QjUwMzA1M0E4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="300" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/1ZgAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkI1MDMwNTNGODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkI1MDMwNTQwODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6QjUwMzA1M0Q4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6QjUwMzA1M0U4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="200" height="16"></td><td><img class="bar" src="data:image/png;base64,R0lGODlhAQABAIAAAP/8zAAAACH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ1M2IChNYWNpbnRvc2gpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkU2OTVBQzRBODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIiB4bXBNTTpEb2N1bWVudElEPSJ4bXAuZGlkOkU2OTVBQzRCODk3QjExRTJCMkY1QUI4QUUwNzNBMzFDIj4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6RTY5NUFDNDg4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6RTY5NUFDNDk4OTdCMTFFMkIyRjVBQjhBRTA3M0EzMUMiLz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+IDw/eHBhY2tldCBlbmQ9InIiPz4B//79/Pv6+fj39vX08/Lx8O/u7ezr6uno5+bl5OPi4eDf3t3c29rZ2NfW1dTT0tHQz87NzMvKycjHxsXEw8LBwL++vby7urm4t7a1tLOysbCvrq2sq6qpqKempaSjoqGgn56dnJuamZiXlpWUk5KRkI+OjYyLiomIh4aFhIOCgYB/fn18e3p5eHd2dXRzcnFwb25tbGtqaWhnZmVkY2JhYF9eXVxbWllYV1ZVVFNSUVBPTk1MS0pJSEdGRURDQkFAPz49PDs6OTg3NjU0MzIxMC8uLSwrKikoJyYlJCMiISAfHh0cGxoZGBcWFRQTEhEQDw4NDAsKCQgHBgUEAwIBAAAh+QQAAAAAACwAAAAAAQABAAACAkQBADs=" width="25" height="16"></td></tr></table>
|
|
173
|
</td>
|
|
174
|
<td> </td>
|
|
175
|
</tr>
|
|
176
|
</table>
|
|
177
|
|
|
178
|
<div class="rule"></div>
|
|
179
|
<h1>Contents</h1>
|
|
180
|
<p class="TOCH0"><a href="#1">1. Open redirection (DOM-based)</a></p>
|
|
181
|
<p class="TOCH0"><a href="#2">2. Password field with autocomplete enabled</a></p>
|
|
182
|
<p class="TOCH0"><a href="#3">3. Content type incorrectly stated</a></p>
|
|
183
|
<p class="TOCH1"><a href="#3.1">3.1. https://mp.ybx.greatcai.com/</a></p>
|
|
184
|
<p class="TOCH1"><a href="#3.2">3.2. https://mp.ybx.greatcai.com/CarApplication/CarApplicationQuery</a></p>
|
|
185
|
<p class="TOCH1"><a href="#3.3">3.3. https://mp.ybx.greatcai.com/ExpenseSettlement/Index</a></p>
|
|
186
|
<p class="TOCH1"><a href="#3.4">3.4. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</a></p>
|
|
187
|
<p class="TOCH1"><a href="#3.5">3.5. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</a></p>
|
|
188
|
<p class="TOCH1"><a href="#3.6">3.6. https://mp.ybx.greatcai.com/fonts/glyphicons-halflings-regular.woff2</a></p>
|
|
189
|
<p class="TOCH1"><a href="#3.7">3.7. https://mp.ybx.greatcai.com/login/tabmain</a></p>
|
|
190
|
<p class="TOCH1"><a href="#3.8">3.8. https://mp.ybx.greatcai.com/main</a></p>
|
|
191
|
<p class="TOCH0"><a href="#4">4. Strict transport security not enforced</a></p>
|
|
192
|
<p class="TOCH1"><a href="#4.1">4.1. https://file.ybx.greatcai.com/Attachments/G4000222/OrganizationFile/2022/09/21/426ab68ee8f84a8bbdb4245bcf39f858.png</a></p>
|
|
193
|
<p class="TOCH1"><a href="#4.2">4.2. https://mp.ybx.greatcai.com/</a></p>
|
|
194
|
<p class="TOCH1"><a href="#4.3">4.3. https://mp.ybx.greatcai.com/Assets/bootstrap-datetimepicker/js/bootstrap-datetimepicker.zh-CN.js</a></p>
|
|
195
|
<p class="TOCH1"><a href="#4.4">4.4. https://mp.ybx.greatcai.com/Content/base.css</a></p>
|
|
196
|
<p class="TOCH1"><a href="#4.5">4.5. https://mp.ybx.greatcai.com/Login</a></p>
|
|
197
|
<p class="TOCH1"><a href="#4.6">4.6. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</a></p>
|
|
198
|
<p class="TOCH1"><a href="#4.7">4.7. https://mp.ybx.greatcai.com/Login/Main</a></p>
|
|
199
|
<p class="TOCH1"><a href="#4.8">4.8. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</a></p>
|
|
200
|
<p class="TOCH1"><a href="#4.9">4.9. https://mp.ybx.greatcai.com/Scripts/Common.js</a></p>
|
|
201
|
<p class="TOCH1"><a href="#4.10">4.10. https://mp.ybx.greatcai.com/Scripts/fileinput_locale_zh.js</a></p>
|
|
202
|
<p class="TOCH1"><a href="#4.11">4.11. https://mp.ybx.greatcai.com/content/styles/admin.main.css</a></p>
|
|
203
|
<p class="TOCH0"><a href="#5">5. Frameable response (potential Clickjacking)</a></p>
|
|
204
|
<p class="TOCH0"><a href="#6">6. Cacheable HTTPS response</a></p>
|
|
205
|
<p class="TOCH1"><a href="#6.1">6.1. https://mp.ybx.greatcai.com/</a></p>
|
|
206
|
<p class="TOCH1"><a href="#6.2">6.2. https://mp.ybx.greatcai.com/Base/TimerMessage</a></p>
|
|
207
|
<p class="TOCH1"><a href="#6.3">6.3. https://mp.ybx.greatcai.com/Login</a></p>
|
|
208
|
<p class="TOCH1"><a href="#6.4">6.4. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</a></p>
|
|
209
|
<p class="TOCH1"><a href="#6.5">6.5. https://mp.ybx.greatcai.com/Login/Main</a></p>
|
|
210
|
<p class="TOCH1"><a href="#6.6">6.6. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</a></p>
|
|
211
|
<p class="TOCH1"><a href="#6.7">6.7. https://mp.ybx.greatcai.com/fonts/glyphicons-halflings-regular.woff2</a></p>
|
|
212
|
<p class="TOCH1"><a href="#6.8">6.8. https://mp.ybx.greatcai.com/login/tabmain</a></p>
|
|
213
|
<p class="TOCH1"><a href="#6.9">6.9. https://mp.ybx.greatcai.com/main</a></p>
|
|
214
|
<br><div class="rule"></div>
|
|
215
|
<span class="BODH0" id="1">1. <a href="https://portswigger.net/knowledgebase/issues/details/00500110_openredirectiondombased">Open redirection (DOM-based)</a></span>
|
|
216
|
<br><a class="PREVNEXT" href="#2">Next</a>
|
|
217
|
<br>
|
|
218
|
<h2>Summary</h2>
|
|
219
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
220
|
<tr>
|
|
221
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_tentative_rpt'></div></td>
|
|
222
|
<td>Severity: </td>
|
|
223
|
<td><b>Low</b></td>
|
|
224
|
</tr>
|
|
225
|
<tr>
|
|
226
|
<td>Confidence: </td>
|
|
227
|
<td><b>Tentative</b></td>
|
|
228
|
</tr>
|
|
229
|
<tr>
|
|
230
|
<td>Host: </td>
|
|
231
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
232
|
</tr>
|
|
233
|
<tr>
|
|
234
|
<td>Path: </td>
|
|
235
|
<td><b>/Login/Main</b></td>
|
|
236
|
</tr>
|
|
237
|
</table>
|
|
238
|
<h2>Issue detail</h2>
|
|
239
|
<span class="TEXT">The application may be vulnerable to DOM-based open redirection. Data is read from <b>location.href</b> and passed to <b>xhr.open</b>.</span>
|
|
240
|
<h2>Issue background</h2>
|
|
241
|
<span class="TEXT"><p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.</p>
|
|
242
|
|
|
243
|
<p>DOM-based open redirection arises when a script writes controllable data into the target of a redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.</p>
|
|
244
|
<p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the redirection API, then it may be possible to escalate this vulnerability into a JavaScript injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary script code when the URL is processed by the browser.</p>
|
|
245
|
|
|
246
|
<p>Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.</p></span>
|
|
247
|
<h2>Issue remediation</h2>
|
|
248
|
<span class="TEXT"><p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically set redirection targets using data that originated from any untrusted source. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from introducing an arbitrary URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that are permitted redirection targets, and strictly validating the target against this list before performing the redirection.</p></span>
|
|
249
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
250
|
<li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a></li>
|
|
251
|
</ul></span>
|
|
252
|
<h2>Request</h2>
|
|
253
|
<div class="rr_div"><span>GET /Login/Main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
254
|
<h2>Response</h2>
|
|
255
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:35 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 158903<br><br><br><!DOCTYPE html><br><br><html lang="en" style="height: 100%;overflow-y: hidden;"><br><head><br> <meta charset="utf-8" /><br> <title>.....................</title><br> <meta content="width=device-wi<br><b>...[SNIP]...</b><br></span></div>
|
|
256
|
<h2>Dynamic analysis</h2><p>Data is read from <b>location.href</b> and passed to <b>xhr.open</b>.</p><p>The following value was injected into the source:</p><pre>https://mp.ybx.greatcai.com/Login/Main?temy40=temy40%27%22`'"/temy40/><temy40/\>wz937v&</pre><p>The previous value reached the sink as:</p><pre>https://mp.ybx.greatcai.com/Login/Main?temy40=temy40%27%22`'"/temy40/><temy40/\>wz937v&&X-Requested-With=XMLHttpRequest</pre><p>The stack trace at the source was:</p><pre>at Object.get href [as href] (<anonymous>:1695:56)<br>at ajax (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:4:12029)<br>at Proxy.$.ajax (https://mp.ybx.greatcai.com/Scripts/Common.js:4554:16)<br>at asyncRequest (https://mp.ybx.greatcai.com/Scripts/jquery.unobtrusive-ajax.js:121:11)<br>at HTMLAnchorElement.<anonymous> (https://mp.ybx.greatcai.com/Scripts/jquery.unobtrusive-ajax.js:131:9)<br>at HTMLDocument.dispatch (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:3:10315)<br>at HTMLDocument.q.handle (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:3:8342)<br>at createMouseEvent (<anonymous>:2869:17)<br>at ready (<anonymous>:2986:25)</pre><p>The stack trace at the sink was:</p><pre>at XMLHttpRequest.win.XMLHttpRequest.open (<anonymous>:1788:21)<br>at Object.send (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:4:16016)<br>at ajax (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:4:13670)<br>at Proxy.$.ajax (https://mp.ybx.greatcai.com/Scripts/Common.js:4554:16)<br>at asyncRequest (https://mp.ybx.greatcai.com/Scripts/jquery.unobtrusive-ajax.js:121:11)<br>at HTMLAnchorElement.<anonymous> (https://mp.ybx.greatcai.com/Scripts/jquery.unobtrusive-ajax.js:131:9)<br>at HTMLDocument.dispatch (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:3:10315)<br>at HTMLDocument.q.handle (https://mp.ybx.greatcai.com/Scripts/jquery-3.1.1.min.js:3:8342)<br>at createMouseEvent (<anonymous>:2869:17)<br>at ready (<anonymous>:2986:25)</pre><div class="rule"></div>
|
|
257
|
<span class="BODH0" id="2">2. <a href="https://portswigger.net/knowledgebase/issues/details/00500800_passwordfieldwithautocompleteenabled">Password field with autocomplete enabled</a></span>
|
|
258
|
<br><a class="PREVNEXT" href="#1">Previous</a>
|
|
259
|
<a class="PREVNEXT" href="#3">Next</a>
|
|
260
|
<br>
|
|
261
|
<h2>Summary</h2>
|
|
262
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
263
|
<tr>
|
|
264
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
265
|
<td>Severity: </td>
|
|
266
|
<td><b>Low</b></td>
|
|
267
|
</tr>
|
|
268
|
<tr>
|
|
269
|
<td>Confidence: </td>
|
|
270
|
<td><b>Certain</b></td>
|
|
271
|
</tr>
|
|
272
|
<tr>
|
|
273
|
<td>Host: </td>
|
|
274
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
275
|
</tr>
|
|
276
|
<tr>
|
|
277
|
<td>Path: </td>
|
|
278
|
<td><b>/Login</b></td>
|
|
279
|
</tr>
|
|
280
|
</table>
|
|
281
|
<h2>Issue detail</h2>
|
|
282
|
<span class="TEXT">The page contains a form with the following action URL:<ul><li>https://mp.ybx.greatcai.com/Login</li></ul>The form contains the following password field with autocomplete enabled:<ul><li>password</li></ul></span>
|
|
283
|
<h2>Issue background</h2>
|
|
284
|
<span class="TEXT"><p>Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.</p>
|
|
285
|
<p>The stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials. </p></span>
|
|
286
|
<h2>Issue remediation</h2>
|
|
287
|
<span class="TEXT"><p>To prevent browsers from storing credentials entered into HTML forms, include the attribute <b>autocomplete="off"</b> within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).</p>
|
|
288
|
<p>Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.</p></span>
|
|
289
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
290
|
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
|
|
291
|
</ul></span>
|
|
292
|
<h2>Request</h2>
|
|
293
|
<div class="rr_div"><span>POST /Login HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 63<br>Cache-Control: max-age=0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Origin: https://mp.ybx.greatcai.com<br>Content-Type: application/x-www-form-urlencoded<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>userName=songjj%40YBX&password=E8F8A55DB55D265B7963468366037E06</span></div>
|
|
294
|
<h2>Response</h2>
|
|
295
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:20:51 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 8384<br><br><br><!DOCTYPE html><br><br><html><br><head><br> <meta charset="utf-8" /><br> <meta name="viewport" content="width=device-width" /><br> <meta http-equiv="X-UA-Compatible" content="IE=11" /><br> <titl<br><b>...[SNIP]...</b><br><ul class="input_postion"><br><span class="HIGHLIGHT"><form action="/Login" method="post"></span> <li><br><b>...[SNIP]...</b><br><img src="/images/password.png" style="width:24px;" /><br> <span class="HIGHLIGHT"><input class="m-wrap placeholder-no-fix" data-val="true" data-val-required=".................." id="password" name="password" placeholder="......" type="password" value="" /></span><br> </li><br><b>...[SNIP]...</b><br></span></div>
|
|
296
|
<div class="rule"></div>
|
|
297
|
<span class="BODH0" id="3">3. <a href="https://portswigger.net/knowledgebase/issues/details/00800400_contenttypeincorrectlystated">Content type incorrectly stated</a></span>
|
|
298
|
<br><a class="PREVNEXT" href="#2">Previous</a>
|
|
299
|
<a class="PREVNEXT" href="#4">Next</a>
|
|
300
|
<br>
|
|
301
|
<br><span class="TEXT">There are 8 instances of this issue:
|
|
302
|
<ul>
|
|
303
|
<li><a href="#3.1">/</a></li>
|
|
304
|
<li><a href="#3.2">/CarApplication/CarApplicationQuery</a></li>
|
|
305
|
<li><a href="#3.3">/ExpenseSettlement/Index</a></li>
|
|
306
|
<li><a href="#3.4">/Login/LoginSMSCodeCheck</a></li>
|
|
307
|
<li><a href="#3.5">/Login/SendLoginSMSCode</a></li>
|
|
308
|
<li><a href="#3.6">/fonts/glyphicons-halflings-regular.woff2</a></li>
|
|
309
|
<li><a href="#3.7">/login/tabmain</a></li>
|
|
310
|
<li><a href="#3.8">/main</a></li>
|
|
311
|
</ul></span>
|
|
312
|
<h2>Issue background</h2>
|
|
313
|
<span class="TEXT"><p>If a response specifies an incorrect content type then browsers may process the response in unexpected ways. If the content type is specified to be a renderable text-based format, then the browser will usually attempt to interpret the response as being in that format, regardless of the actual contents of the response. Additionally, some other specified content types might sometimes be interpreted as HTML due to quirks in particular browsers. This behavior might lead to otherwise "safe" content such as images being rendered as HTML, enabling cross-site scripting attacks in certain conditions.</p>
|
|
314
|
<p>The presence of an incorrect content type statement typically only constitutes a security flaw when the affected resource is dynamically generated, uploaded by a user, or otherwise contains user input. You should review the contents of affected responses, and the context in which they appear, to determine whether any vulnerability exists.</p></span>
|
|
315
|
<h2>Issue remediation</h2>
|
|
316
|
<span class="TEXT"><p>For every response containing a message body, the application should include a single Content-type header that correctly and unambiguously states the MIME type of the content in the response body.</p>
|
|
317
|
<p>Additionally, the response header "X-content-type-options: nosniff" should be returned in all responses to reduce the likelihood that browsers will interpret content in a way that disregards the Content-type header.</p></span>
|
|
318
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
319
|
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
|
|
320
|
<li><a href="https://cwe.mitre.org/data/definitions/436.html">CWE-436: Interpretation Conflict</a></li>
|
|
321
|
</ul></span>
|
|
322
|
<br><br><div class="rule"></div>
|
|
323
|
<span class="BODH1" id="3.1">3.1. https://mp.ybx.greatcai.com/</span>
|
|
324
|
<br><a class="PREVNEXT" href="#3.2">Next</a>
|
|
325
|
<br>
|
|
326
|
<h2>Summary</h2>
|
|
327
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
328
|
<tr>
|
|
329
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
330
|
<td>Severity: </td>
|
|
331
|
<td><b>Low</b></td>
|
|
332
|
</tr>
|
|
333
|
<tr>
|
|
334
|
<td>Confidence: </td>
|
|
335
|
<td><b>Firm</b></td>
|
|
336
|
</tr>
|
|
337
|
<tr>
|
|
338
|
<td>Host: </td>
|
|
339
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
340
|
</tr>
|
|
341
|
<tr>
|
|
342
|
<td>Path: </td>
|
|
343
|
<td><b>/</b></td>
|
|
344
|
</tr>
|
|
345
|
</table>
|
|
346
|
<h2>Issue detail</h2>
|
|
347
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.This issue was found in multiple locations under the reported path.</span>
|
|
348
|
<h2>Request</h2>
|
|
349
|
<div class="rr_div"><span>GET /Policy/DownloadLog HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: text/html, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fpolicy%2fdownloadlog<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
350
|
<h2>Response</h2>
|
|
351
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:24:09 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 0be137b,-<br>X-Cache: bypass<br>Content-Length: 347652<br><br><br><div id="divStatusSearchDoing" style="filter: alpha(opacity=30); -moz-opacity: 0.3; opacity: 0.3;<br> width: 100%; height: 100%; z-index: 1200; position: absolute;<br> <br><b>...[SNIP]...</b><br></span></div>
|
|
352
|
<div class="rule"></div>
|
|
353
|
<span class="BODH1" id="3.2">3.2. https://mp.ybx.greatcai.com/CarApplication/CarApplicationQuery</span>
|
|
354
|
<br><a class="PREVNEXT" href="#3.1">Previous</a>
|
|
355
|
<a class="PREVNEXT" href="#3.3">Next</a>
|
|
356
|
<br>
|
|
357
|
<h2>Summary</h2>
|
|
358
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
359
|
<tr>
|
|
360
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
361
|
<td>Severity: </td>
|
|
362
|
<td><b>Low</b></td>
|
|
363
|
</tr>
|
|
364
|
<tr>
|
|
365
|
<td>Confidence: </td>
|
|
366
|
<td><b>Firm</b></td>
|
|
367
|
</tr>
|
|
368
|
<tr>
|
|
369
|
<td>Host: </td>
|
|
370
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
371
|
</tr>
|
|
372
|
<tr>
|
|
373
|
<td>Path: </td>
|
|
374
|
<td><b>/CarApplication/CarApplicationQuery</b></td>
|
|
375
|
</tr>
|
|
376
|
</table>
|
|
377
|
<h2>Issue detail</h2>
|
|
378
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
379
|
<h2>Request</h2>
|
|
380
|
<div class="rr_div"><span>GET /CarApplication/CarApplicationQuery HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: text/html, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fcarapplication%2fcarapplicationquery<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
381
|
<h2>Response</h2>
|
|
382
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:59 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 0be137b,-<br>X-Cache: bypass<br>Content-Length: 135933<br><br><br><script src="/Scripts/Common.js"></script><br><!--JS............--><br><script src="/Scripts/CryptoJS/rollups/aes.js"></script><br><script src="/Scripts/CryptoJS/components/mode-ecb-min.js"></script><br><<br><b>...[SNIP]...</b><br></span></div>
|
|
383
|
<div class="rule"></div>
|
|
384
|
<span class="BODH1" id="3.3">3.3. https://mp.ybx.greatcai.com/ExpenseSettlement/Index</span>
|
|
385
|
<br><a class="PREVNEXT" href="#3.2">Previous</a>
|
|
386
|
<a class="PREVNEXT" href="#3.4">Next</a>
|
|
387
|
<br>
|
|
388
|
<h2>Summary</h2>
|
|
389
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
390
|
<tr>
|
|
391
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
392
|
<td>Severity: </td>
|
|
393
|
<td><b>Low</b></td>
|
|
394
|
</tr>
|
|
395
|
<tr>
|
|
396
|
<td>Confidence: </td>
|
|
397
|
<td><b>Firm</b></td>
|
|
398
|
</tr>
|
|
399
|
<tr>
|
|
400
|
<td>Host: </td>
|
|
401
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
402
|
</tr>
|
|
403
|
<tr>
|
|
404
|
<td>Path: </td>
|
|
405
|
<td><b>/ExpenseSettlement/Index</b></td>
|
|
406
|
</tr>
|
|
407
|
</table>
|
|
408
|
<h2>Issue detail</h2>
|
|
409
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
410
|
<h2>Request</h2>
|
|
411
|
<div class="rr_div"><span>GET /ExpenseSettlement/Index HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: text/html, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fexpensesettlement%2findex<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
412
|
<h2>Response</h2>
|
|
413
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:22:03 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 618879<br><br><br><style><br> .cusWarn {<br> background-color: yellow !IMPORTANT;<br> }<br><br> .bureauLabel {<br> text-align: right;<br> padding-top: 7px;<br> }<br></style><br><br><br><d<br><b>...[SNIP]...</b><br></span></div>
|
|
414
|
<div class="rule"></div>
|
|
415
|
<span class="BODH1" id="3.4">3.4. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</span>
|
|
416
|
<br><a class="PREVNEXT" href="#3.3">Previous</a>
|
|
417
|
<a class="PREVNEXT" href="#3.5">Next</a>
|
|
418
|
<br>
|
|
419
|
<h2>Summary</h2>
|
|
420
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
421
|
<tr>
|
|
422
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
423
|
<td>Severity: </td>
|
|
424
|
<td><b>Low</b></td>
|
|
425
|
</tr>
|
|
426
|
<tr>
|
|
427
|
<td>Confidence: </td>
|
|
428
|
<td><b>Firm</b></td>
|
|
429
|
</tr>
|
|
430
|
<tr>
|
|
431
|
<td>Host: </td>
|
|
432
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
433
|
</tr>
|
|
434
|
<tr>
|
|
435
|
<td>Path: </td>
|
|
436
|
<td><b>/Login/LoginSMSCodeCheck</b></td>
|
|
437
|
</tr>
|
|
438
|
</table>
|
|
439
|
<h2>Issue detail</h2>
|
|
440
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
441
|
<h2>Request</h2>
|
|
442
|
<div class="rr_div"><span>POST /Login/LoginSMSCodeCheck HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 11<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>code=329586</span></div>
|
|
443
|
<h2>Response</h2>
|
|
444
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:34 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Content-Length: 43<br>Connection: close<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br><br>{"status":true,"message":"..............."}</span></div>
|
|
445
|
<div class="rule"></div>
|
|
446
|
<span class="BODH1" id="3.5">3.5. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</span>
|
|
447
|
<br><a class="PREVNEXT" href="#3.4">Previous</a>
|
|
448
|
<a class="PREVNEXT" href="#3.6">Next</a>
|
|
449
|
<br>
|
|
450
|
<h2>Summary</h2>
|
|
451
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
452
|
<tr>
|
|
453
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
454
|
<td>Severity: </td>
|
|
455
|
<td><b>Low</b></td>
|
|
456
|
</tr>
|
|
457
|
<tr>
|
|
458
|
<td>Confidence: </td>
|
|
459
|
<td><b>Firm</b></td>
|
|
460
|
</tr>
|
|
461
|
<tr>
|
|
462
|
<td>Host: </td>
|
|
463
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
464
|
</tr>
|
|
465
|
<tr>
|
|
466
|
<td>Path: </td>
|
|
467
|
<td><b>/Login/SendLoginSMSCode</b></td>
|
|
468
|
</tr>
|
|
469
|
</table>
|
|
470
|
<h2>Issue detail</h2>
|
|
471
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
472
|
<h2>Request</h2>
|
|
473
|
<div class="rr_div"><span>POST /Login/SendLoginSMSCode HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
474
|
<h2>Response</h2>
|
|
475
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:00 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Content-Length: 52<br>Connection: close<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 8b19e79,-<br>X-Cache: bypass<br><br>{"status":true,"message":"........................"}</span></div>
|
|
476
|
<div class="rule"></div>
|
|
477
|
<span class="BODH1" id="3.6">3.6. https://mp.ybx.greatcai.com/fonts/glyphicons-halflings-regular.woff2</span>
|
|
478
|
<br><a class="PREVNEXT" href="#3.5">Previous</a>
|
|
479
|
<a class="PREVNEXT" href="#3.7">Next</a>
|
|
480
|
<br>
|
|
481
|
<h2>Summary</h2>
|
|
482
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
483
|
<tr>
|
|
484
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
485
|
<td>Severity: </td>
|
|
486
|
<td><b>Low</b></td>
|
|
487
|
</tr>
|
|
488
|
<tr>
|
|
489
|
<td>Confidence: </td>
|
|
490
|
<td><b>Firm</b></td>
|
|
491
|
</tr>
|
|
492
|
<tr>
|
|
493
|
<td>Host: </td>
|
|
494
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
495
|
</tr>
|
|
496
|
<tr>
|
|
497
|
<td>Path: </td>
|
|
498
|
<td><b>/fonts/glyphicons-halflings-regular.woff2</b></td>
|
|
499
|
</tr>
|
|
500
|
</table>
|
|
501
|
<h2>Issue detail</h2>
|
|
502
|
<span class="TEXT">The response states that the content type is <b>application/font-woff2</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>If the URL path can be manipulated to end with ".html", the following browsers may interpret the response as HTML:<ul><li>Internet Explorer 11</li><li>Internet Explorer 11 (Compatibility Mode)</li></ul></span>
|
|
503
|
<h2>Request</h2>
|
|
504
|
<div class="rr_div"><span>GET /fonts/glyphicons-halflings-regular.woff2 HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Origin: https://mp.ybx.greatcai.com<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: font<br>Referer: https://mp.ybx.greatcai.com/Content/bootstrap.min.css<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
505
|
<h2>Response</h2>
|
|
506
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:38 GMT<br><span class="HIGHLIGHT">Content-Type: application/font-woff2</span><br>Content-Length: 18028<br>Connection: close<br>Last-Modified: Thu, 16 Apr 2020 09:51:37 GMT<br>Accept-Ranges: bytes<br>ETag: "201f229fd413d61:0"<br>X-Via-JSL: 0be137b,-<br>X-Cache: bypass<br><br>wOF2......Fl.......\..F ...M....................?FFTM.. .`..r....<br>..$..e.6.$..t..0.. .."..Q?webf..e.5.....@..?...<br>... ..t............,3+.2q.F..YO...&>...b.m.5.Z..H$..Y....{.H jd.......%....y"......+<br><b>...[SNIP]...</b><br></span></div>
|
|
507
|
<div class="rule"></div>
|
|
508
|
<span class="BODH1" id="3.7">3.7. https://mp.ybx.greatcai.com/login/tabmain</span>
|
|
509
|
<br><a class="PREVNEXT" href="#3.6">Previous</a>
|
|
510
|
<a class="PREVNEXT" href="#3.8">Next</a>
|
|
511
|
<br>
|
|
512
|
<h2>Summary</h2>
|
|
513
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
514
|
<tr>
|
|
515
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
516
|
<td>Severity: </td>
|
|
517
|
<td><b>Low</b></td>
|
|
518
|
</tr>
|
|
519
|
<tr>
|
|
520
|
<td>Confidence: </td>
|
|
521
|
<td><b>Firm</b></td>
|
|
522
|
</tr>
|
|
523
|
<tr>
|
|
524
|
<td>Host: </td>
|
|
525
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
526
|
</tr>
|
|
527
|
<tr>
|
|
528
|
<td>Path: </td>
|
|
529
|
<td><b>/login/tabmain</b></td>
|
|
530
|
</tr>
|
|
531
|
</table>
|
|
532
|
<h2>Issue detail</h2>
|
|
533
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
534
|
<h2>Request</h2>
|
|
535
|
<div class="rr_div"><span>GET /login/tabmain?url=%2fmain HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-Dest: iframe<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
536
|
<h2>Response</h2>
|
|
537
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:40 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 13650<br><br><br><link href="/Content/bootstrap.min.css" rel="stylesheet" /><br><link href="/Content/bootstrapdiy.css" rel="stylesheet" /><br><link href="/Content/base.css" rel="stylesheet" /><br><link rel="stylesheet" <br><b>...[SNIP]...</b><br></span></div>
|
|
538
|
<div class="rule"></div>
|
|
539
|
<span class="BODH1" id="3.8">3.8. https://mp.ybx.greatcai.com/main</span>
|
|
540
|
<br><a class="PREVNEXT" href="#3.7">Previous</a>
|
|
541
|
<a class="PREVNEXT" href="#4.1">Next</a>
|
|
542
|
<br>
|
|
543
|
<h2>Summary</h2>
|
|
544
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
545
|
<tr>
|
|
546
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
|
|
547
|
<td>Severity: </td>
|
|
548
|
<td><b>Low</b></td>
|
|
549
|
</tr>
|
|
550
|
<tr>
|
|
551
|
<td>Confidence: </td>
|
|
552
|
<td><b>Firm</b></td>
|
|
553
|
</tr>
|
|
554
|
<tr>
|
|
555
|
<td>Host: </td>
|
|
556
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
557
|
</tr>
|
|
558
|
<tr>
|
|
559
|
<td>Path: </td>
|
|
560
|
<td><b>/main</b></td>
|
|
561
|
</tr>
|
|
562
|
</table>
|
|
563
|
<h2>Issue detail</h2>
|
|
564
|
<span class="TEXT">The response states that the content type is <b>text/html</b>. However, it actually appears to contain <b>unrecognized content</b>.<br><br>All browsers may interpret the response as HTML.</span>
|
|
565
|
<h2>Request</h2>
|
|
566
|
<div class="rr_div"><span>GET /main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: text/html, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fmain<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
567
|
<h2>Response</h2>
|
|
568
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:41 GMT<br><span class="HIGHLIGHT">Content-Type: text/html; charset=utf-8</span><br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 20352<br><br><br><div class="col-md-12"><br> <div class="ol-header"><br> <i class="glyphicon glyphicon-th" style="top:1px"></i><br> ............<br> </div><br> <div style="clear:both;"></div><br> <di<br><b>...[SNIP]...</b><br></span></div>
|
|
569
|
<div class="rule"></div>
|
|
570
|
<span class="BODH0" id="4">4. <a href="https://portswigger.net/knowledgebase/issues/details/01000300_stricttransportsecuritynotenforced">Strict transport security not enforced</a></span>
|
|
571
|
<br><a class="PREVNEXT" href="#3">Previous</a>
|
|
572
|
<a class="PREVNEXT" href="#5">Next</a>
|
|
573
|
<br>
|
|
574
|
<br><span class="TEXT">There are 11 instances of this issue:
|
|
575
|
<ul>
|
|
576
|
<li><a href="#4.1">https://file.ybx.greatcai.com/Attachments/G4000222/OrganizationFile/2022/09/21/426ab68ee8f84a8bbdb4245bcf39f858.png</a></li>
|
|
577
|
<li><a href="#4.2">https://mp.ybx.greatcai.com/</a></li>
|
|
578
|
<li><a href="#4.3">https://mp.ybx.greatcai.com/Assets/bootstrap-datetimepicker/js/bootstrap-datetimepicker.zh-CN.js</a></li>
|
|
579
|
<li><a href="#4.4">https://mp.ybx.greatcai.com/Content/base.css</a></li>
|
|
580
|
<li><a href="#4.5">https://mp.ybx.greatcai.com/Login</a></li>
|
|
581
|
<li><a href="#4.6">https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</a></li>
|
|
582
|
<li><a href="#4.7">https://mp.ybx.greatcai.com/Login/Main</a></li>
|
|
583
|
<li><a href="#4.8">https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</a></li>
|
|
584
|
<li><a href="#4.9">https://mp.ybx.greatcai.com/Scripts/Common.js</a></li>
|
|
585
|
<li><a href="#4.10">https://mp.ybx.greatcai.com/Scripts/fileinput_locale_zh.js</a></li>
|
|
586
|
<li><a href="#4.11">https://mp.ybx.greatcai.com/content/styles/admin.main.css</a></li>
|
|
587
|
</ul></span>
|
|
588
|
<h2>Issue description</h2>
|
|
589
|
<span class="TEXT"><p> The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process. </p>
|
|
590
|
<p>
|
|
591
|
To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p></span>
|
|
592
|
<h2>Issue remediation</h2>
|
|
593
|
<span class="TEXT"><p>The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.</p>
|
|
594
|
<p>Note that because HSTS is a "trust on first use" (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.</p></span>
|
|
595
|
<h2>References</h2>
|
|
596
|
<span class="TEXT"><ul>
|
|
597
|
<li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP Strict Transport Security</a></li>
|
|
598
|
<li><a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a></li>
|
|
599
|
<li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
|
|
600
|
</ul></span>
|
|
601
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
602
|
<li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of Credentials</a></li>
|
|
603
|
</ul></span>
|
|
604
|
<br><br><div class="rule"></div>
|
|
605
|
<span class="BODH1" id="4.1">4.1. https://file.ybx.greatcai.com/Attachments/G4000222/OrganizationFile/2022/09/21/426ab68ee8f84a8bbdb4245bcf39f858.png</span>
|
|
606
|
<br><a class="PREVNEXT" href="#3.8">Previous</a>
|
|
607
|
<a class="PREVNEXT" href="#4.2">Next</a>
|
|
608
|
<br>
|
|
609
|
<h2>Summary</h2>
|
|
610
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
611
|
<tr>
|
|
612
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
613
|
<td>Severity: </td>
|
|
614
|
<td><b>Low</b></td>
|
|
615
|
</tr>
|
|
616
|
<tr>
|
|
617
|
<td>Confidence: </td>
|
|
618
|
<td><b>Certain</b></td>
|
|
619
|
</tr>
|
|
620
|
<tr>
|
|
621
|
<td>Host: </td>
|
|
622
|
<td><b>https://file.ybx.greatcai.com</b></td>
|
|
623
|
</tr>
|
|
624
|
<tr>
|
|
625
|
<td>Path: </td>
|
|
626
|
<td><b>/Attachments/G4000222/OrganizationFile/2022/09/21/426ab68ee8f84a8bbdb4245bcf39f858.png</b></td>
|
|
627
|
</tr>
|
|
628
|
</table>
|
|
629
|
<h2>Request</h2>
|
|
630
|
<div class="rr_div"><span>GET /Attachments/G4000222/OrganizationFile/2022/09/21/426ab68ee8f84a8bbdb4245bcf39f858.png HTTP/1.1<br>Host: file.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8<br>Sec-Fetch-Site: same-site<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: image<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=0ae1f4574daafc3cd9093e2f08ba08fc<br><br></span></div>
|
|
631
|
<h2>Response</h2>
|
|
632
|
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Tue, 30 Apr 2024 03:20:51 GMT<br>Content-Type: text/html; charset=us-ascii<br>Connection: close<br>Vary: Accept-Encoding<br>X-Via-JSL: 0be137b,-<br>X-Cache: bypass<br>Content-Length: 315<br><br><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><br><HTML><HEAD><TITLE>Not Found</TITLE><br><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"><<br><b>...[SNIP]...</b><br></span></div>
|
|
633
|
<div class="rule"></div>
|
|
634
|
<span class="BODH1" id="4.2">4.2. https://mp.ybx.greatcai.com/</span>
|
|
635
|
<br><a class="PREVNEXT" href="#4.1">Previous</a>
|
|
636
|
<a class="PREVNEXT" href="#4.3">Next</a>
|
|
637
|
<br>
|
|
638
|
<h2>Summary</h2>
|
|
639
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
640
|
<tr>
|
|
641
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
642
|
<td>Severity: </td>
|
|
643
|
<td><b>Low</b></td>
|
|
644
|
</tr>
|
|
645
|
<tr>
|
|
646
|
<td>Confidence: </td>
|
|
647
|
<td><b>Certain</b></td>
|
|
648
|
</tr>
|
|
649
|
<tr>
|
|
650
|
<td>Host: </td>
|
|
651
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
652
|
</tr>
|
|
653
|
<tr>
|
|
654
|
<td>Path: </td>
|
|
655
|
<td><b>/</b></td>
|
|
656
|
</tr>
|
|
657
|
</table>
|
|
658
|
<h2>Issue detail</h2>
|
|
659
|
<span class="TEXT">This issue was found in multiple locations under the reported path.</span>
|
|
660
|
<h2>Request</h2>
|
|
661
|
<div class="rr_div"><span>GET /Scripts/Common/fileOpt.js HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: script<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
662
|
<h2>Response</h2>
|
|
663
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:37 GMT<br>Content-Type: application/javascript<br>Content-Length: 27574<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 20 Jul 2023 01:52:38 GMT<br>Accept-Ranges: bytes<br>ETag: "0f775dcacbad91:0"<br>Vary: Accept-Encoding<br>X-Via-JSL: 908f2cc,-<br>X-Cache: bypass<br><br>...//.....................<br>//.........:.........<br>//...............2018-9-6<br>//...............<br>//obj ...........................<br>//config ....................................... ...................<br><b>...[SNIP]...</b><br></span></div>
|
|
664
|
<div class="rule"></div>
|
|
665
|
<span class="BODH1" id="4.3">4.3. https://mp.ybx.greatcai.com/Assets/bootstrap-datetimepicker/js/bootstrap-datetimepicker.zh-CN.js</span>
|
|
666
|
<br><a class="PREVNEXT" href="#4.2">Previous</a>
|
|
667
|
<a class="PREVNEXT" href="#4.4">Next</a>
|
|
668
|
<br>
|
|
669
|
<h2>Summary</h2>
|
|
670
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
671
|
<tr>
|
|
672
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
673
|
<td>Severity: </td>
|
|
674
|
<td><b>Low</b></td>
|
|
675
|
</tr>
|
|
676
|
<tr>
|
|
677
|
<td>Confidence: </td>
|
|
678
|
<td><b>Certain</b></td>
|
|
679
|
</tr>
|
|
680
|
<tr>
|
|
681
|
<td>Host: </td>
|
|
682
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
683
|
</tr>
|
|
684
|
<tr>
|
|
685
|
<td>Path: </td>
|
|
686
|
<td><b>/Assets/bootstrap-datetimepicker/js/bootstrap-datetimepicker.zh-CN.js</b></td>
|
|
687
|
</tr>
|
|
688
|
</table>
|
|
689
|
<h2>Request</h2>
|
|
690
|
<div class="rr_div"><span>GET /Assets/bootstrap-datetimepicker/js/bootstrap-datetimepicker.zh-CN.js HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: script<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
691
|
<h2>Response</h2>
|
|
692
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:36 GMT<br>Content-Type: application/javascript<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 16 Apr 2020 09:52:18 GMT<br>ETag: W/"856f24b7d413d61:0"<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 850<br><br>/**<br> * Simplified Chinese translation for bootstrap-datetimepicker<br> * Yuan Cheung <advanimal@gmail.com><br> */<br>;(function($){<br> $.fn.datetimepicker.dates['zh-CN'] = {<br> days: [".........", ".........", "<br><b>...[SNIP]...</b><br></span></div>
|
|
693
|
<div class="rule"></div>
|
|
694
|
<span class="BODH1" id="4.4">4.4. https://mp.ybx.greatcai.com/Content/base.css</span>
|
|
695
|
<br><a class="PREVNEXT" href="#4.3">Previous</a>
|
|
696
|
<a class="PREVNEXT" href="#4.5">Next</a>
|
|
697
|
<br>
|
|
698
|
<h2>Summary</h2>
|
|
699
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
700
|
<tr>
|
|
701
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
702
|
<td>Severity: </td>
|
|
703
|
<td><b>Low</b></td>
|
|
704
|
</tr>
|
|
705
|
<tr>
|
|
706
|
<td>Confidence: </td>
|
|
707
|
<td><b>Certain</b></td>
|
|
708
|
</tr>
|
|
709
|
<tr>
|
|
710
|
<td>Host: </td>
|
|
711
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
712
|
</tr>
|
|
713
|
<tr>
|
|
714
|
<td>Path: </td>
|
|
715
|
<td><b>/Content/base.css</b></td>
|
|
716
|
</tr>
|
|
717
|
</table>
|
|
718
|
<h2>Request</h2>
|
|
719
|
<div class="rr_div"><span>GET /Content/base.css HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: text/css,*/*;q=0.1<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: style<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
720
|
<h2>Response</h2>
|
|
721
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:35 GMT<br>Content-Type: text/css<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 16 Apr 2020 09:52:22 GMT<br>ETag: W/"eb2c92b9d413d61:0"<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 4625<br><br><br>/*<br> * Sidebar<br> */<br><br>/* Hide for mobile, show later */<br>.ol-header{<br> background-color: #C9E2FD;<br> display: inline-block;<br> margin: 5px;<br> padding: 5px 10px;<br> box-shadow: 2px 2px 5<br><b>...[SNIP]...</b><br></span></div>
|
|
722
|
<div class="rule"></div>
|
|
723
|
<span class="BODH1" id="4.5">4.5. https://mp.ybx.greatcai.com/Login</span>
|
|
724
|
<br><a class="PREVNEXT" href="#4.4">Previous</a>
|
|
725
|
<a class="PREVNEXT" href="#4.6">Next</a>
|
|
726
|
<br>
|
|
727
|
<h2>Summary</h2>
|
|
728
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
729
|
<tr>
|
|
730
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
731
|
<td>Severity: </td>
|
|
732
|
<td><b>Low</b></td>
|
|
733
|
</tr>
|
|
734
|
<tr>
|
|
735
|
<td>Confidence: </td>
|
|
736
|
<td><b>Certain</b></td>
|
|
737
|
</tr>
|
|
738
|
<tr>
|
|
739
|
<td>Host: </td>
|
|
740
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
741
|
</tr>
|
|
742
|
<tr>
|
|
743
|
<td>Path: </td>
|
|
744
|
<td><b>/Login</b></td>
|
|
745
|
</tr>
|
|
746
|
</table>
|
|
747
|
<h2>Request</h2>
|
|
748
|
<div class="rr_div"><span>POST /Login HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 63<br>Cache-Control: max-age=0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Origin: https://mp.ybx.greatcai.com<br>Content-Type: application/x-www-form-urlencoded<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>userName=songjj%40YBX&password=E8F8A55DB55D265B7963468366037E06</span></div>
|
|
749
|
<h2>Response</h2>
|
|
750
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:20:51 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 8384<br><br><br><!DOCTYPE html><br><br><html><br><head><br> <meta charset="utf-8" /><br> <meta name="viewport" content="width=device-width" /><br> <meta http-equiv="X-UA-Compatible" content="IE=11" /><br> <titl<br><b>...[SNIP]...</b><br></span></div>
|
|
751
|
<div class="rule"></div>
|
|
752
|
<span class="BODH1" id="4.6">4.6. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</span>
|
|
753
|
<br><a class="PREVNEXT" href="#4.5">Previous</a>
|
|
754
|
<a class="PREVNEXT" href="#4.7">Next</a>
|
|
755
|
<br>
|
|
756
|
<h2>Summary</h2>
|
|
757
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
758
|
<tr>
|
|
759
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
760
|
<td>Severity: </td>
|
|
761
|
<td><b>Low</b></td>
|
|
762
|
</tr>
|
|
763
|
<tr>
|
|
764
|
<td>Confidence: </td>
|
|
765
|
<td><b>Certain</b></td>
|
|
766
|
</tr>
|
|
767
|
<tr>
|
|
768
|
<td>Host: </td>
|
|
769
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
770
|
</tr>
|
|
771
|
<tr>
|
|
772
|
<td>Path: </td>
|
|
773
|
<td><b>/Login/LoginSMSCodeCheck</b></td>
|
|
774
|
</tr>
|
|
775
|
</table>
|
|
776
|
<h2>Request</h2>
|
|
777
|
<div class="rr_div"><span>POST /Login/LoginSMSCodeCheck HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 11<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>code=329586</span></div>
|
|
778
|
<h2>Response</h2>
|
|
779
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:34 GMT<br>Content-Type: text/html; charset=utf-8<br>Content-Length: 43<br>Connection: close<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br><br>{"status":true,"message":"..............."}</span></div>
|
|
780
|
<div class="rule"></div>
|
|
781
|
<span class="BODH1" id="4.7">4.7. https://mp.ybx.greatcai.com/Login/Main</span>
|
|
782
|
<br><a class="PREVNEXT" href="#4.6">Previous</a>
|
|
783
|
<a class="PREVNEXT" href="#4.8">Next</a>
|
|
784
|
<br>
|
|
785
|
<h2>Summary</h2>
|
|
786
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
787
|
<tr>
|
|
788
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
789
|
<td>Severity: </td>
|
|
790
|
<td><b>Low</b></td>
|
|
791
|
</tr>
|
|
792
|
<tr>
|
|
793
|
<td>Confidence: </td>
|
|
794
|
<td><b>Certain</b></td>
|
|
795
|
</tr>
|
|
796
|
<tr>
|
|
797
|
<td>Host: </td>
|
|
798
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
799
|
</tr>
|
|
800
|
<tr>
|
|
801
|
<td>Path: </td>
|
|
802
|
<td><b>/Login/Main</b></td>
|
|
803
|
</tr>
|
|
804
|
</table>
|
|
805
|
<h2>Request</h2>
|
|
806
|
<div class="rr_div"><span>GET /Login/Main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
807
|
<h2>Response</h2>
|
|
808
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:35 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 158903<br><br><br><!DOCTYPE html><br><br><html lang="en" style="height: 100%;overflow-y: hidden;"><br><head><br> <meta charset="utf-8" /><br> <title>.....................</title><br> <meta content="width=device-wi<br><b>...[SNIP]...</b><br></span></div>
|
|
809
|
<div class="rule"></div>
|
|
810
|
<span class="BODH1" id="4.8">4.8. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</span>
|
|
811
|
<br><a class="PREVNEXT" href="#4.7">Previous</a>
|
|
812
|
<a class="PREVNEXT" href="#4.9">Next</a>
|
|
813
|
<br>
|
|
814
|
<h2>Summary</h2>
|
|
815
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
816
|
<tr>
|
|
817
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
818
|
<td>Severity: </td>
|
|
819
|
<td><b>Low</b></td>
|
|
820
|
</tr>
|
|
821
|
<tr>
|
|
822
|
<td>Confidence: </td>
|
|
823
|
<td><b>Certain</b></td>
|
|
824
|
</tr>
|
|
825
|
<tr>
|
|
826
|
<td>Host: </td>
|
|
827
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
828
|
</tr>
|
|
829
|
<tr>
|
|
830
|
<td>Path: </td>
|
|
831
|
<td><b>/Login/SendLoginSMSCode</b></td>
|
|
832
|
</tr>
|
|
833
|
</table>
|
|
834
|
<h2>Request</h2>
|
|
835
|
<div class="rr_div"><span>POST /Login/SendLoginSMSCode HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
836
|
<h2>Response</h2>
|
|
837
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:00 GMT<br>Content-Type: text/html; charset=utf-8<br>Content-Length: 52<br>Connection: close<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 8b19e79,-<br>X-Cache: bypass<br><br>{"status":true,"message":"........................"}</span></div>
|
|
838
|
<div class="rule"></div>
|
|
839
|
<span class="BODH1" id="4.9">4.9. https://mp.ybx.greatcai.com/Scripts/Common.js</span>
|
|
840
|
<br><a class="PREVNEXT" href="#4.8">Previous</a>
|
|
841
|
<a class="PREVNEXT" href="#4.10">Next</a>
|
|
842
|
<br>
|
|
843
|
<h2>Summary</h2>
|
|
844
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
845
|
<tr>
|
|
846
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
847
|
<td>Severity: </td>
|
|
848
|
<td><b>Low</b></td>
|
|
849
|
</tr>
|
|
850
|
<tr>
|
|
851
|
<td>Confidence: </td>
|
|
852
|
<td><b>Certain</b></td>
|
|
853
|
</tr>
|
|
854
|
<tr>
|
|
855
|
<td>Host: </td>
|
|
856
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
857
|
</tr>
|
|
858
|
<tr>
|
|
859
|
<td>Path: </td>
|
|
860
|
<td><b>/Scripts/Common.js</b></td>
|
|
861
|
</tr>
|
|
862
|
</table>
|
|
863
|
<h2>Request</h2>
|
|
864
|
<div class="rr_div"><span>GET /Scripts/Common.js HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: script<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
865
|
<h2>Response</h2>
|
|
866
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:36 GMT<br>Content-Type: application/javascript<br>Content-Length: 213735<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 02 Nov 2023 06:40:22 GMT<br>Accept-Ranges: bytes<br>ETag: "0ffb7357dda1:0"<br>Vary: Accept-Encoding<br>X-Via-JSL: 908f2cc,-<br>X-Cache: bypass<br><br>...<br>// JScript ......<br>var className = "ClassName";<br>var browseWidth = "300";<br>var browseHeight = "200";<br><br>//....................................<br>function GetCtrPageTop(ctr) {<br> var ctrPageTop =<br><b>...[SNIP]...</b><br></span></div>
|
|
867
|
<div class="rule"></div>
|
|
868
|
<span class="BODH1" id="4.10">4.10. https://mp.ybx.greatcai.com/Scripts/fileinput_locale_zh.js</span>
|
|
869
|
<br><a class="PREVNEXT" href="#4.9">Previous</a>
|
|
870
|
<a class="PREVNEXT" href="#4.11">Next</a>
|
|
871
|
<br>
|
|
872
|
<h2>Summary</h2>
|
|
873
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
874
|
<tr>
|
|
875
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
876
|
<td>Severity: </td>
|
|
877
|
<td><b>Low</b></td>
|
|
878
|
</tr>
|
|
879
|
<tr>
|
|
880
|
<td>Confidence: </td>
|
|
881
|
<td><b>Certain</b></td>
|
|
882
|
</tr>
|
|
883
|
<tr>
|
|
884
|
<td>Host: </td>
|
|
885
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
886
|
</tr>
|
|
887
|
<tr>
|
|
888
|
<td>Path: </td>
|
|
889
|
<td><b>/Scripts/fileinput_locale_zh.js</b></td>
|
|
890
|
</tr>
|
|
891
|
</table>
|
|
892
|
<h2>Request</h2>
|
|
893
|
<div class="rr_div"><span>GET /Scripts/fileinput_locale_zh.js HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: script<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
894
|
<h2>Response</h2>
|
|
895
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:37 GMT<br>Content-Type: application/javascript<br>Content-Length: 3248<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 21 May 2020 09:22:52 GMT<br>Accept-Ranges: bytes<br>ETag: "0fef166512fd61:0"<br>Vary: Accept-Encoding<br>X-Via-JSL: ec63fa5,-<br>X-Cache: bypass<br><br>/*!<br> * FileInput Chinese Translations<br> *<br> * This file must be loaded after 'fileinput.js'. Patterns in braces '{}', or<br> * any HTML markup tags in the messages must not be converted or translated.<br><b>...[SNIP]...</b><br></span></div>
|
|
896
|
<div class="rule"></div>
|
|
897
|
<span class="BODH1" id="4.11">4.11. https://mp.ybx.greatcai.com/content/styles/admin.main.css</span>
|
|
898
|
<br><a class="PREVNEXT" href="#4.10">Previous</a>
|
|
899
|
<a class="PREVNEXT" href="#6.1">Next</a>
|
|
900
|
<br>
|
|
901
|
<h2>Summary</h2>
|
|
902
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
903
|
<tr>
|
|
904
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_certain_rpt'></div></td>
|
|
905
|
<td>Severity: </td>
|
|
906
|
<td><b>Low</b></td>
|
|
907
|
</tr>
|
|
908
|
<tr>
|
|
909
|
<td>Confidence: </td>
|
|
910
|
<td><b>Certain</b></td>
|
|
911
|
</tr>
|
|
912
|
<tr>
|
|
913
|
<td>Host: </td>
|
|
914
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
915
|
</tr>
|
|
916
|
<tr>
|
|
917
|
<td>Path: </td>
|
|
918
|
<td><b>/content/styles/admin.main.css</b></td>
|
|
919
|
</tr>
|
|
920
|
</table>
|
|
921
|
<h2>Request</h2>
|
|
922
|
<div class="rr_div"><span>GET /content/styles/admin.main.css HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: text/css,*/*;q=0.1<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: no-cors<br>Sec-Fetch-Dest: style<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
923
|
<h2>Response</h2>
|
|
924
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:36 GMT<br>Content-Type: text/css<br>Connection: close<br>Vary: Accept-Encoding<br>Last-Modified: Thu, 16 Apr 2020 09:52:22 GMT<br>ETag: W/"ba292b9d413d61:0"<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 2021<br><br>...html, body, div, span, input, p,h1, h2, h3, h4, h5, h6, blockquote, a, abbr, acronym, address, strong, b, u, i, center,dl, dt, dd, ol, ul,td,tr<br>{<br> font-family:"Microsoft Yahei","............",<br><b>...[SNIP]...</b><br></span></div>
|
|
925
|
<div class="rule"></div>
|
|
926
|
<span class="BODH0" id="5">5. <a href="https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking">Frameable response (potential Clickjacking)</a></span>
|
|
927
|
<br><a class="PREVNEXT" href="#4">Previous</a>
|
|
928
|
<a class="PREVNEXT" href="#6">Next</a>
|
|
929
|
<br>
|
|
930
|
<h2>Summary</h2>
|
|
931
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
932
|
<tr>
|
|
933
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
|
|
934
|
<td>Severity: </td>
|
|
935
|
<td><b>Information</b></td>
|
|
936
|
</tr>
|
|
937
|
<tr>
|
|
938
|
<td>Confidence: </td>
|
|
939
|
<td><b>Firm</b></td>
|
|
940
|
</tr>
|
|
941
|
<tr>
|
|
942
|
<td>Host: </td>
|
|
943
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
944
|
</tr>
|
|
945
|
<tr>
|
|
946
|
<td>Path: </td>
|
|
947
|
<td><b>/Login/Main</b></td>
|
|
948
|
</tr>
|
|
949
|
</table>
|
|
950
|
<h2>Issue description</h2>
|
|
951
|
<span class="TEXT"><p>If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.</p>
|
|
952
|
<p>Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.</p>
|
|
953
|
<p>You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application. </p></span>
|
|
954
|
<h2>Issue remediation</h2>
|
|
955
|
<span class="TEXT"><p>To effectively prevent framing attacks, the application should return a response header with the name <b>X-Frame-Options</b> and the value <b>DENY</b> to prevent framing altogether, or the value <b>SAMEORIGIN</b> to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.</p></span>
|
|
956
|
<h2>References</h2>
|
|
957
|
<span class="TEXT"><ul><li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options">X-Frame-Options</a></li></ul></span>
|
|
958
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
959
|
<li><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693: Protection Mechanism Failure</a></li>
|
|
960
|
</ul></span>
|
|
961
|
<h2>Request</h2>
|
|
962
|
<div class="rr_div"><span>GET /Login/Main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
963
|
<h2>Response</h2>
|
|
964
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:35 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br>Cache-Control: private<br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 158903<br><br><br><!DOCTYPE html><br><br><html lang="en" style="height: 100%;overflow-y: hidden;"><br><head><br> <meta charset="utf-8" /><br> <title>.....................</title><br> <meta content="width=device-wi<br><b>...[SNIP]...</b><br></span></div>
|
|
965
|
<div class="rule"></div>
|
|
966
|
<span class="BODH0" id="6">6. <a href="https://portswigger.net/knowledgebase/issues/details/00700100_cacheablehttpsresponse">Cacheable HTTPS response</a></span>
|
|
967
|
<br><a class="PREVNEXT" href="#5">Previous</a>
|
|
968
|
<br>
|
|
969
|
<br><span class="TEXT">There are 9 instances of this issue:
|
|
970
|
<ul>
|
|
971
|
<li><a href="#6.1">/</a></li>
|
|
972
|
<li><a href="#6.2">/Base/TimerMessage</a></li>
|
|
973
|
<li><a href="#6.3">/Login</a></li>
|
|
974
|
<li><a href="#6.4">/Login/LoginSMSCodeCheck</a></li>
|
|
975
|
<li><a href="#6.5">/Login/Main</a></li>
|
|
976
|
<li><a href="#6.6">/Login/SendLoginSMSCode</a></li>
|
|
977
|
<li><a href="#6.7">/fonts/glyphicons-halflings-regular.woff2</a></li>
|
|
978
|
<li><a href="#6.8">/login/tabmain</a></li>
|
|
979
|
<li><a href="#6.9">/main</a></li>
|
|
980
|
</ul></span>
|
|
981
|
<h2>Issue background</h2>
|
|
982
|
<span class="TEXT"><p>Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.</p></span>
|
|
983
|
<h2>Issue remediation</h2>
|
|
984
|
<span class="TEXT"><p>Applications should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:</p>
|
|
985
|
<ul>
|
|
986
|
<li>Cache-control: no-store</li><li>Pragma: no-cache</li></ul></span>
|
|
987
|
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
|
|
988
|
<li><a href="https://cwe.mitre.org/data/definitions/524.html">CWE-524: Information Exposure Through Caching</a></li>
|
|
989
|
<li><a href="https://cwe.mitre.org/data/definitions/525.html">CWE-525: Information Exposure Through Browser Caching</a></li>
|
|
990
|
</ul></span>
|
|
991
|
<br><br><div class="rule"></div>
|
|
992
|
<span class="BODH1" id="6.1">6.1. https://mp.ybx.greatcai.com/</span>
|
|
993
|
<br><a class="PREVNEXT" href="#4.11">Previous</a>
|
|
994
|
<a class="PREVNEXT" href="#6.2">Next</a>
|
|
995
|
<br>
|
|
996
|
<h2>Summary</h2>
|
|
997
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
998
|
<tr>
|
|
999
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1000
|
<td>Severity: </td>
|
|
1001
|
<td><b>Information</b></td>
|
|
1002
|
</tr>
|
|
1003
|
<tr>
|
|
1004
|
<td>Confidence: </td>
|
|
1005
|
<td><b>Certain</b></td>
|
|
1006
|
</tr>
|
|
1007
|
<tr>
|
|
1008
|
<td>Host: </td>
|
|
1009
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1010
|
</tr>
|
|
1011
|
<tr>
|
|
1012
|
<td>Path: </td>
|
|
1013
|
<td><b>/</b></td>
|
|
1014
|
</tr>
|
|
1015
|
</table>
|
|
1016
|
<h2>Issue detail</h2>
|
|
1017
|
<span class="TEXT">This issue was found in multiple locations under the reported path.</span>
|
|
1018
|
<h2>Request 1</h2>
|
|
1019
|
<div class="rr_div"><span>GET /Login/Main?X-Requested-With=XMLHttpRequest HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: */*<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1020
|
<h2>Response 1</h2>
|
|
1021
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:44 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 158903<br><br><br><!DOCTYPE html><br><br><html lang="en" style="height: 100%;overflow-y: hidden;"><br><head><br> <meta charset="utf-8" /><br> <title>.....................</title><br> <meta content="width=device-wi<br><b>...[SNIP]...</b><br></span></div>
|
|
1022
|
<h2>Request 2</h2>
|
|
1023
|
<div class="rr_div"><span>GET /login/tabmain?url=%2fmain&X-Requested-With=XMLHttpRequest HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: */*<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fmain<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1024
|
<h2>Response 2</h2>
|
|
1025
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:44 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 13650<br><br><br><link href="/Content/bootstrap.min.css" rel="stylesheet" /><br><link href="/Content/bootstrapdiy.css" rel="stylesheet" /><br><link href="/Content/base.css" rel="stylesheet" /><br><link rel="stylesheet" <br><b>...[SNIP]...</b><br></span></div>
|
|
1026
|
<div class="rule"></div>
|
|
1027
|
<span class="BODH1" id="6.2">6.2. https://mp.ybx.greatcai.com/Base/TimerMessage</span>
|
|
1028
|
<br><a class="PREVNEXT" href="#6.1">Previous</a>
|
|
1029
|
<a class="PREVNEXT" href="#6.3">Next</a>
|
|
1030
|
<br>
|
|
1031
|
<h2>Summary</h2>
|
|
1032
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1033
|
<tr>
|
|
1034
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1035
|
<td>Severity: </td>
|
|
1036
|
<td><b>Information</b></td>
|
|
1037
|
</tr>
|
|
1038
|
<tr>
|
|
1039
|
<td>Confidence: </td>
|
|
1040
|
<td><b>Certain</b></td>
|
|
1041
|
</tr>
|
|
1042
|
<tr>
|
|
1043
|
<td>Host: </td>
|
|
1044
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1045
|
</tr>
|
|
1046
|
<tr>
|
|
1047
|
<td>Path: </td>
|
|
1048
|
<td><b>/Base/TimerMessage</b></td>
|
|
1049
|
</tr>
|
|
1050
|
</table>
|
|
1051
|
<h2>Request 1</h2>
|
|
1052
|
<div class="rr_div"><span>POST /Base/TimerMessage HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1053
|
<h2>Response 1</h2>
|
|
1054
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:42 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: ec63fa5,-<br>X-Cache: bypass<br>Content-Length: 260<br><br>{"status":true,"message":null,"flag":null,"data":{"contractList":[],"insuerBrandPassWordList":[],"batchOperationList":[],"orgBalanceList":[],"orgBalanceNotEnoughList":[],"appList":[],"msgList":[],"set<br><b>...[SNIP]...</b><br></span></div>
|
|
1055
|
<div class="rule"></div>
|
|
1056
|
<span class="BODH1" id="6.3">6.3. https://mp.ybx.greatcai.com/Login</span>
|
|
1057
|
<br><a class="PREVNEXT" href="#6.2">Previous</a>
|
|
1058
|
<a class="PREVNEXT" href="#6.4">Next</a>
|
|
1059
|
<br>
|
|
1060
|
<h2>Summary</h2>
|
|
1061
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1062
|
<tr>
|
|
1063
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1064
|
<td>Severity: </td>
|
|
1065
|
<td><b>Information</b></td>
|
|
1066
|
</tr>
|
|
1067
|
<tr>
|
|
1068
|
<td>Confidence: </td>
|
|
1069
|
<td><b>Certain</b></td>
|
|
1070
|
</tr>
|
|
1071
|
<tr>
|
|
1072
|
<td>Host: </td>
|
|
1073
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1074
|
</tr>
|
|
1075
|
<tr>
|
|
1076
|
<td>Path: </td>
|
|
1077
|
<td><b>/Login</b></td>
|
|
1078
|
</tr>
|
|
1079
|
</table>
|
|
1080
|
<h2>Request 1</h2>
|
|
1081
|
<div class="rr_div"><span>POST /Login HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 63<br>Cache-Control: max-age=0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Origin: https://mp.ybx.greatcai.com<br>Content-Type: application/x-www-form-urlencoded<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>userName=songjj%40YBX&password=E8F8A55DB55D265B7963468366037E06</span></div>
|
|
1082
|
<h2>Response 1</h2>
|
|
1083
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:20:51 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 8384<br><br><br><!DOCTYPE html><br><br><html><br><head><br> <meta charset="utf-8" /><br> <meta name="viewport" content="width=device-width" /><br> <meta http-equiv="X-UA-Compatible" content="IE=11" /><br> <titl<br><b>...[SNIP]...</b><br></span></div>
|
|
1084
|
<div class="rule"></div>
|
|
1085
|
<span class="BODH1" id="6.4">6.4. https://mp.ybx.greatcai.com/Login/LoginSMSCodeCheck</span>
|
|
1086
|
<br><a class="PREVNEXT" href="#6.3">Previous</a>
|
|
1087
|
<a class="PREVNEXT" href="#6.5">Next</a>
|
|
1088
|
<br>
|
|
1089
|
<h2>Summary</h2>
|
|
1090
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1091
|
<tr>
|
|
1092
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1093
|
<td>Severity: </td>
|
|
1094
|
<td><b>Information</b></td>
|
|
1095
|
</tr>
|
|
1096
|
<tr>
|
|
1097
|
<td>Confidence: </td>
|
|
1098
|
<td><b>Certain</b></td>
|
|
1099
|
</tr>
|
|
1100
|
<tr>
|
|
1101
|
<td>Host: </td>
|
|
1102
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1103
|
</tr>
|
|
1104
|
<tr>
|
|
1105
|
<td>Path: </td>
|
|
1106
|
<td><b>/Login/LoginSMSCodeCheck</b></td>
|
|
1107
|
</tr>
|
|
1108
|
</table>
|
|
1109
|
<h2>Request 1</h2>
|
|
1110
|
<div class="rr_div"><span>POST /Login/LoginSMSCodeCheck HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 11<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br>code=329586</span></div>
|
|
1111
|
<h2>Response 1</h2>
|
|
1112
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:34 GMT<br>Content-Type: text/html; charset=utf-8<br>Content-Length: 43<br>Connection: close<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br><br>{"status":true,"message":"..............."}</span></div>
|
|
1113
|
<div class="rule"></div>
|
|
1114
|
<span class="BODH1" id="6.5">6.5. https://mp.ybx.greatcai.com/Login/Main</span>
|
|
1115
|
<br><a class="PREVNEXT" href="#6.4">Previous</a>
|
|
1116
|
<a class="PREVNEXT" href="#6.6">Next</a>
|
|
1117
|
<br>
|
|
1118
|
<h2>Summary</h2>
|
|
1119
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1120
|
<tr>
|
|
1121
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1122
|
<td>Severity: </td>
|
|
1123
|
<td><b>Information</b></td>
|
|
1124
|
</tr>
|
|
1125
|
<tr>
|
|
1126
|
<td>Confidence: </td>
|
|
1127
|
<td><b>Certain</b></td>
|
|
1128
|
</tr>
|
|
1129
|
<tr>
|
|
1130
|
<td>Host: </td>
|
|
1131
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1132
|
</tr>
|
|
1133
|
<tr>
|
|
1134
|
<td>Path: </td>
|
|
1135
|
<td><b>/Login/Main</b></td>
|
|
1136
|
</tr>
|
|
1137
|
</table>
|
|
1138
|
<h2>Request 1</h2>
|
|
1139
|
<div class="rr_div"><span>GET /Login/Main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-User: ?1<br>Sec-Fetch-Dest: document<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1140
|
<h2>Response 1</h2>
|
|
1141
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:35 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: fd94206,-<br>X-Cache: bypass<br>Content-Length: 158903<br><br><br><!DOCTYPE html><br><br><html lang="en" style="height: 100%;overflow-y: hidden;"><br><head><br> <meta charset="utf-8" /><br> <title>.....................</title><br> <meta content="width=device-wi<br><b>...[SNIP]...</b><br></span></div>
|
|
1142
|
<div class="rule"></div>
|
|
1143
|
<span class="BODH1" id="6.6">6.6. https://mp.ybx.greatcai.com/Login/SendLoginSMSCode</span>
|
|
1144
|
<br><a class="PREVNEXT" href="#6.5">Previous</a>
|
|
1145
|
<a class="PREVNEXT" href="#6.7">Next</a>
|
|
1146
|
<br>
|
|
1147
|
<h2>Summary</h2>
|
|
1148
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1149
|
<tr>
|
|
1150
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1151
|
<td>Severity: </td>
|
|
1152
|
<td><b>Information</b></td>
|
|
1153
|
</tr>
|
|
1154
|
<tr>
|
|
1155
|
<td>Confidence: </td>
|
|
1156
|
<td><b>Certain</b></td>
|
|
1157
|
</tr>
|
|
1158
|
<tr>
|
|
1159
|
<td>Host: </td>
|
|
1160
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1161
|
</tr>
|
|
1162
|
<tr>
|
|
1163
|
<td>Path: </td>
|
|
1164
|
<td><b>/Login/SendLoginSMSCode</b></td>
|
|
1165
|
</tr>
|
|
1166
|
</table>
|
|
1167
|
<h2>Request 1</h2>
|
|
1168
|
<div class="rr_div"><span>POST /Login/SendLoginSMSCode HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>Content-Length: 0<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: application/json, text/javascript, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Origin: https://mp.ybx.greatcai.com<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/Login<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1169
|
<h2>Response 1</h2>
|
|
1170
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:00 GMT<br>Content-Type: text/html; charset=utf-8<br>Content-Length: 52<br>Connection: close<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 8b19e79,-<br>X-Cache: bypass<br><br>{"status":true,"message":"........................"}</span></div>
|
|
1171
|
<div class="rule"></div>
|
|
1172
|
<span class="BODH1" id="6.7">6.7. https://mp.ybx.greatcai.com/fonts/glyphicons-halflings-regular.woff2</span>
|
|
1173
|
<br><a class="PREVNEXT" href="#6.6">Previous</a>
|
|
1174
|
<a class="PREVNEXT" href="#6.8">Next</a>
|
|
1175
|
<br>
|
|
1176
|
<h2>Summary</h2>
|
|
1177
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1178
|
<tr>
|
|
1179
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1180
|
<td>Severity: </td>
|
|
1181
|
<td><b>Information</b></td>
|
|
1182
|
</tr>
|
|
1183
|
<tr>
|
|
1184
|
<td>Confidence: </td>
|
|
1185
|
<td><b>Certain</b></td>
|
|
1186
|
</tr>
|
|
1187
|
<tr>
|
|
1188
|
<td>Host: </td>
|
|
1189
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1190
|
</tr>
|
|
1191
|
<tr>
|
|
1192
|
<td>Path: </td>
|
|
1193
|
<td><b>/fonts/glyphicons-halflings-regular.woff2</b></td>
|
|
1194
|
</tr>
|
|
1195
|
</table>
|
|
1196
|
<h2>Request 1</h2>
|
|
1197
|
<div class="rr_div"><span>GET /fonts/glyphicons-halflings-regular.woff2 HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Origin: https://mp.ybx.greatcai.com<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Accept: */*<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: font<br>Referer: https://mp.ybx.greatcai.com/Content/bootstrap.min.css<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1198
|
<h2>Response 1</h2>
|
|
1199
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:38 GMT<br>Content-Type: application/font-woff2<br>Content-Length: 18028<br>Connection: close<br>Last-Modified: Thu, 16 Apr 2020 09:51:37 GMT<br>Accept-Ranges: bytes<br>ETag: "201f229fd413d61:0"<br>X-Via-JSL: 0be137b,-<br>X-Cache: bypass<br><br>wOF2......Fl.......\..F ...M....................?FFTM.. .`..r....<br>..$..e.6.$..t..0.. .."..Q?webf..e.5.....@..?...<br>... ..t............,3+.2q.F..YO...&>...b.m.5.Z..H$..Y....{.H jd.......%....y"......+<br><b>...[SNIP]...</b><br></span></div>
|
|
1200
|
<div class="rule"></div>
|
|
1201
|
<span class="BODH1" id="6.8">6.8. https://mp.ybx.greatcai.com/login/tabmain</span>
|
|
1202
|
<br><a class="PREVNEXT" href="#6.7">Previous</a>
|
|
1203
|
<a class="PREVNEXT" href="#6.9">Next</a>
|
|
1204
|
<br>
|
|
1205
|
<h2>Summary</h2>
|
|
1206
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1207
|
<tr>
|
|
1208
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1209
|
<td>Severity: </td>
|
|
1210
|
<td><b>Information</b></td>
|
|
1211
|
</tr>
|
|
1212
|
<tr>
|
|
1213
|
<td>Confidence: </td>
|
|
1214
|
<td><b>Certain</b></td>
|
|
1215
|
</tr>
|
|
1216
|
<tr>
|
|
1217
|
<td>Host: </td>
|
|
1218
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1219
|
</tr>
|
|
1220
|
<tr>
|
|
1221
|
<td>Path: </td>
|
|
1222
|
<td><b>/login/tabmain</b></td>
|
|
1223
|
</tr>
|
|
1224
|
</table>
|
|
1225
|
<h2>Request 1</h2>
|
|
1226
|
<div class="rr_div"><span>GET /login/tabmain?url=%2fmain HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>Upgrade-Insecure-Requests: 1<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: navigate<br>Sec-Fetch-Dest: iframe<br>Referer: https://mp.ybx.greatcai.com/Login/Main<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1227
|
<h2>Response 1</h2>
|
|
1228
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:40 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 13650<br><br><br><link href="/Content/bootstrap.min.css" rel="stylesheet" /><br><link href="/Content/bootstrapdiy.css" rel="stylesheet" /><br><link href="/Content/base.css" rel="stylesheet" /><br><link rel="stylesheet" <br><b>...[SNIP]...</b><br></span></div>
|
|
1229
|
<div class="rule"></div>
|
|
1230
|
<span class="BODH1" id="6.9">6.9. https://mp.ybx.greatcai.com/main</span>
|
|
1231
|
<br><a class="PREVNEXT" href="#6.8">Previous</a>
|
|
1232
|
<br>
|
|
1233
|
<h2>Summary</h2>
|
|
1234
|
<table cellpadding="0" cellspacing="0" class="summary_table">
|
|
1235
|
<tr>
|
|
1236
|
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
|
|
1237
|
<td>Severity: </td>
|
|
1238
|
<td><b>Information</b></td>
|
|
1239
|
</tr>
|
|
1240
|
<tr>
|
|
1241
|
<td>Confidence: </td>
|
|
1242
|
<td><b>Certain</b></td>
|
|
1243
|
</tr>
|
|
1244
|
<tr>
|
|
1245
|
<td>Host: </td>
|
|
1246
|
<td><b>https://mp.ybx.greatcai.com</b></td>
|
|
1247
|
</tr>
|
|
1248
|
<tr>
|
|
1249
|
<td>Path: </td>
|
|
1250
|
<td><b>/main</b></td>
|
|
1251
|
</tr>
|
|
1252
|
</table>
|
|
1253
|
<h2>Request 1</h2>
|
|
1254
|
<div class="rr_div"><span>GET /main HTTP/1.1<br>Host: mp.ybx.greatcai.com<br>Connection: close<br>sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"<br>Accept: text/html, */*; q=0.01<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua-mobile: ?0<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36<br>sec-ch-ua-platform: "Windows"<br>Sec-Fetch-Site: same-origin<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Dest: empty<br>Referer: https://mp.ybx.greatcai.com/login/tabmain?url=%2fmain<br>Accept-Encoding: gzip, deflate<br>Accept-Language: zh-CN,zh;q=0.9<br>Cookie: __jsluid_s=33b5adbdd57a2a343d715bbc3e5108fd; ASP.NET_SessionId=nygxo3kujxbqjv4t05p4ld2i<br><br></span></div>
|
|
1255
|
<h2>Response 1</h2>
|
|
1256
|
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Tue, 30 Apr 2024 03:21:41 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection: close<br>Vary: Accept-Encoding<br><span class="HIGHLIGHT">Cache-Control: private</span><br>X-AspNetMvc-Version: 5.2<br>X-AspNet-Version: 4.0.30319<br>X-Via-JSL: 2d38dcb,-<br>X-Cache: bypass<br>Content-Length: 20352<br><br><br><div class="col-md-12"><br> <div class="ol-header"><br> <i class="glyphicon glyphicon-th" style="top:1px"></i><br> ............<br> </div><br> <div style="clear:both;"></div><br> <di<br><b>...[SNIP]...</b><br></span></div>
|
|
1257
|
<div class="rule"></div>
|
|
1258
|
<span class="TEXT"><br>Report generated by Burp Suite <a href="https://portswigger.net/vulnerability-scanner/">web vulnerability scanner</a> v2.0beta, at Tue Apr 30 11:27:34 CST 2024.<br><br></span>
|
|
1259
|
</div>
|
|
1260
|
</body>
|
|
1261
|
</html>
|