Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://awasaf.com/
Scan Date: April 8, 2026, 11:47 a.m. | Duration: 26.5s
Light Scan Result
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Want a deeper analysis?
This is a Light Scan result. Perform a Deep Scan to uncover hidden vulnerabilities like XSS, SQL Injection, and more.
Includes intrusive tests. Ensure you are
authorized.
Risk Rating
Overall Risk Rating
F (24/100)
0
Total CVEs
45
Total CWEs
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 0 |
| Medium | 0 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 38 |
| Medium | 4 |
| Low | 3 |
Unique CVE IDs
Identified
No CVEs mapped
Unique CWE IDs
Identified
CWE-1004, CWE-200, CWE-319, CWE-352, CWE-614, CWE-693, CWE-770
How is the score calculated?
Scores start at 100. Deductions are: Critical (-10), High (-5), Medium (-2), Low (-1). To ensure fairness, deductions are capped per category: Critical (40), High (25), Medium (15), Low (10).
Scan Summary
| 1 | Input Hostname | awasaf.com |
| 2 | Scan Start Time | April 8, 2026, 11:47 a.m. |
| 3 | Scan Duration | 26.5s |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://awasaf.com/ |
| 2 | IP Address | 195.35.20.171 |
| 3 | Hosting Provider | Hostinger |
| 4 | Registrar | HOSTINGER operations, UAB |
| 5 | Programming Language | Not Detected |
| 6 | Web Server | nginx/1.18.0 (ubuntu) |
| 7 | Operating System | Linux |
| 8 | HTTPS Enabled | Enabled |
| 9 | WAF Detected | Not Detected |
Original Header Response
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 08 Apr 2026 06:17:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: DENY
Vary: Cookie
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Set-Cookie: guest_id=12480cc0-f189-40ef-9e8e-575ef72d5d36; expires=Thu, 08 Apr 2027 06:17:19 GMT; HttpOnly; Max-Age=31536000; Path=/; SameSite=Lax, csrftoken=w9uZtxUIhOhMdx3yNxaf7iglcbRWjatt; expires=Wed, 07 Apr 2027 06:17:19 GMT; Max-Age=31449600; Path=/; SameSite=Lax, sessionid=fvnxeo40gv0h2k32gz1h7yoyzdr9lvn3; expires=Wed, 22 Apr 2026 06:17:19 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
Permissions-Policy: geolocation=(), microphone=(), camera=()
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Encoding: gzip
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 195.35.20.171 |
| Hosting Provider | Hostinger |
| Server | nginx/1.18.0 (ubuntu) |
| Server Disclosure CVE | No CVEs found |
| Operating System | Linux |
| Open Ports | 3306, 443 |
| Database Technology | MariaDB |
| WAF Detection | Not Detected |
| SSL Certificate | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS | Not Detected | ||
| CMS CVE | Not Applicable | ||
| Programming Language | Not Detected | ||
| Technology Disclosure CVE | None | ||
| Javascript Libraries |
|
||
| Javascript Libraries CVE | No CVEs found | ||
| Openapi Disclosure | Not Found | ||
| XML RPC Endpoint Detection | Not Applicable |
Transport Layer Security (TLS) & Encryption
| Mixed Content Analysis | Mixed content (HTTP on HTTPS) |
| Secure Connection | Enabled |
| Unencrypted Viewstate | Not Detected |
HTTP Security Headers Analysis
| Securitys | CONTENT-SECURITY-POLICY, X-PERMITTED-CROSS-DOMAIN |
| Content Security Policy | Missing Content-Security-Policy header |
| Strict Transport Security | Present |
| Referrer Policy | Present |
| X Content Type Options | Present |
| CSP Analysis | OK |
| X Frame Options | OK |
| X XSS Protection | OK |
Session & Cookie Security
| Missing HTTPonly Flag In Cookies | Missing HttpOnly flag in cookies |
| Missing Secure Flag In Cookies | Missing Secure flag in cookies |
| Loose Cookie Domain | Secure |
Sensitive Resource & File Exposure
| Directory Listing | Disabled |
| Secret Files Detection | ['https://awasaf.com/sitemap.xml'] |
| Robots Txt File Found | None |
| Path Disclosure | Not Found |
| Htaccess Exposure | None |
Authentication & Credential Exposure
| Passwords Submitted Unencrypted | Passwords submitted unencrypted | ||||||
| Password Leakage | Not Detected | ||||||
| Password Field With Autocomplete |
|
Information Disclosure & Error Handling
| Error Messages Analysis | Secure |
| Cross Domain Inclusion | ['cdn.tailwindcss.com', 'www.googletagmanager.com', 'cdn.jsdelivr.net', 'fonts.googleapis.com', 'lh3.googleusercontent.com'] |
Application Surface & Method Exposure
| HTTP Methods Allowed | GET, OPTIONS, HEAD |
| Enabled Debug Method | No |
| Enabled Options Method | Yes |
| File Upload | Not Detected |
| Client Access Policies | Not Found |
Email & Domain Security Configuration
| Email Extraction | Emails exposed |
| SPF | v=spf1 include:_spf.mail.hostinger.com ~all |
| DMARC | v=DMARC1; p=none |
| DKIM | Not Configured |
Abuse & Rate-Limiting Controls
| Rate Limit Headers | Missing Rate Limit header |
Injection & Header Manipulation
| Host Header Injection | Possible |
Bot & Automation Protection
| Captcha Detection | Not Detected |
Other Findings
| Registrar | HOSTINGER operations, UAB |
Deep Scan Findings
| CSRF |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SQLi Boolean Based |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SQLi Time Based |
|
Findings – CVE (Common Vulnerabilities and Exposures)
No CVE vulnerabilities found.
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 1 | Passwords submitted unencrypted | CWE-319 | High | Credentials transmitted without encryption can be intercepted. | Use HTTPS-only forms and ensure encrypted transport of all authentication data. |
| 2 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 3 | Mixed content (HTTP on HTTPS) | CWE-319 | Medium | Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. | Ensure all assets (JS, CSS, images) load using HTTPS only. |
| 4 | Missing Content-Security-Policy header | CWE-693 | Medium | Failure to enforce mechanisms that protect against unauthorized modifications such as XSS or content injection. | Implement a strong Content-Security-Policy header such as: "Content-Security-Policy: default-src 'self'; script-src 'self'". |
| 5 | Missing Secure flag in cookies | CWE-614 | Medium | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 6 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 7 | Missing Header: CONTENT-SECURITY-POLICY | CWE-693 | Low | The security header CONTENT-SECURITY-POLICY is missing. | Add CONTENT-SECURITY-POLICY header to server configuration. |
| 8 | Missing Header: X-PERMITTED-CROSS-DOMAIN | CWE-693 | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Add X-PERMITTED-CROSS-DOMAIN header to server configuration. |
| 9 | Emails exposed | CWE-200 | Low | Publicly exposed email addresses may lead to phishing or spam attacks. | Obfuscate email addresses or remove unnecessary public exposure. |
Deep Scan Vulnerabilities
Total Findings: 51
Other Security Tools
Explore our comprehensive suite of security testing tools