Security Test
Website Security Test
Website Vulnerability Scanner
Comprehensive security testing for your website
Security Report: https://josaa.nic.in/
Scan Date: March 1, 2026, 6:32 a.m. | Duration: 21.28 seconds
Have you made changes or fixed vulnerabilities?
Run a fresh scan to verify your latest security updates.
Risk Rating
Overall Risk Rating
B (76/100)
Risk Distribution Chart
CVE Based Risk Distribution
| Critical | 0 |
| High | 1 |
| Medium | 5 |
| Low | 0 |
CWE Based Risk Distribution
| Critical | 0 |
| High | 2 |
| Medium | 1 |
| Low | 3 |
Scan Summary
| 1 | Input Hostname | josaa.nic.in |
| 2 | Scan Start Time | March 1, 2026, 6:32 a.m. |
| 3 | Scan Duration | 21.28 seconds |
| 4 | Total Test Cases | 50 |
Target Information
| 1 | Target URL | https://josaa.nic.in/ |
| 2 | IP Address | 164.100.50.244 |
| 3 | Hosting Provider | Not Disclosed |
| 4 | Registrar | Not Available |
| 5 | Programming Language | PHP |
| 6 | Web Server | Not Detected |
| 7 | Operating System | Not Detected |
| 8 | HTTPS Enabled | Yes |
| 9 | WAF Detected | Not Detected |
Original Header Response
Date: Sun, 01 Mar 2026 01:02:13 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22637
Connection: keep-alive
Cache-Control: max-age=3, must-revalidate
Content-Encoding: gzip
Vary: Accept-Encoding
X-Varnish: 80298163 80014376
Age: 635
X-Cache: HIT
X-Cache-Hits: 1
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000; includeSubDomains
Expect-CT: enforce,max-age=2592000
Referrer-Policy: strict-origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: img-src 'self' *.google-analytics.com img.youtube.com *.s3waas.gov.in secure.gravatar.com *.twimg.com *.twitter.com translation-plugin.bhashini.co.in data:;connect-src 'self' *.s3waas.gov.in *.google-analytics.com translation-plugin.bhashini.co.in dhruva-api.bhashini.gov.in;object-src 'none';media-src 'self' *.s3waas.gov.in data:;child-src 'self';frame-src 'self' www.google.com platform.twitter.com www.facebook.com syndication.twitter.com www.youtube.com;form-action *.s3waas.gov.in 'self';frame-ancestors 'self' *.s3waas.gov.in ;upgrade-insecure-requests;worker-src 'self' *.s3waas.gov.in data:
Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=("https://www.facebook.com" self),encrypted-media=(),execution-while-not-rendered=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=("https://www.youtube.com"),gamepad=(),geolocation=(),magnetometer=(),gyroscope=(),magnetometer=(),layout-animations=(),legacy-image-formats=(self),microphone=(),midi=(),navigation-override=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),vibrate=(),vr=(),screen-wake-lock=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()
Network & Infrastructure Reconnaissance
| Inline Connection | Yes |
| IP Address | 164.100.50.244 |
| Open Ports Scan | 443, 80 |
| SSL Certificate Validation | Certificate is valid |
Application Stack & Technology Fingerprinting
| CMS Detection | {'WordPress': '.'} |
| JavaScript Libraries Detection |
Transport Layer Security (TLS) & Encryption
| Secure Connection Check (HTTPS) | Yes |
| Mixed Content Analysis |
Mixed content (HTTP on HTTPS) High
Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page. Solution: Ensure all assets (JS, CSS, images) load using HTTPS only. |
HTTP Security Headers Analysis
| CSP Header Analysis | |
| X-Frame-Options Missing | Properly Configured |
| X-XSS-Protection Missing | Missing x-xss-protection header |
Session & Cookie Security
| Missing Cookie HTTPOnly Flag |
Missing HttpOnly flag in cookies High
Cookies accessible by JavaScript can be stolen via XSS. Solution: Set the HttpOnly flag to prevent client-side script access. |
| Missing Cookie Secure Flag |
Missing Secure flag in cookies High
Cookies without the Secure flag may be sent over unencrypted connections. Solution: Enable the Secure flag for all session or sensitive cookies. |
Sensitive Resource & File Exposure
| Secret Files Detection |
Information Disclosure & Error Handling
| Cross-Domain Inclusion |
|
Application Surface & Method Exposure
| Enabled Debug Method | No |
| Enabled OPTIONS Method | No |
Abuse & Rate-Limiting Controls
| Rate-Limit Headers Detection |
Missing Rate Limit header Medium
Improper control of resource consumption may enable brute-force or DoS attacks. Solution: Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
Findings – CVE (Common Vulnerabilities and Exposures)
| Sr. No | Vulnerability Source | CVE ID | Severity | Score | Description | Remediation |
|---|---|---|---|---|---|---|
| 1 | jquery-3.6.4 - CVE-2016-10707 | CVE-2016-10707 | High | 7.5 | jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 4 | jquery-3.6.4 - CVE-2007-2379 | CVE-2007-2379 | Medium | 5.0 | The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 5 | jquery-3.6.4 - CVE-2011-4969 | CVE-2011-4969 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 6 | jquery-3.6.4 - CVE-2014-6071 | CVE-2014-6071 | Medium | 6.1 | jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 7 | jquery-3.6.4 - CVE-2018-18405 | CVE-2018-18405 | Medium | 6.1 | jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 8 | jquery-ui-3.6.4 - CVE-2012-6662 | CVE-2012-6662 | Medium | 4.3 | Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
Findings – CWE (Common Weakness Enumeration)
| Sr. No | Vulnerability Source | CWE ID | Severity | Description | Remediation |
|---|---|---|---|---|---|
| 2 | Missing HttpOnly flag in cookies | CWE-1004 | High | Cookies accessible by JavaScript can be stolen via XSS. | Set the HttpOnly flag to prevent client-side script access. |
| 3 | Missing Secure flag in cookies | CWE-614 | High | Cookies without the Secure flag may be sent over unencrypted connections. | Enable the Secure flag for all session or sensitive cookies. |
| 9 | Missing Rate Limit header | CWE-770 | Medium | Improper control of resource consumption may enable brute-force or DoS attacks. | Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'. |
| 10 | Missing Header: X-XSS-PROTECTION | N/A | Low | The security header X-XSS-PROTECTION is missing. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 11 | Missing Header: X-PERMITTED-CROSS-DOMAIN | N/A | Low | The security header X-PERMITTED-CROSS-DOMAIN is missing. | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 12 | X Xss Protection | N/A | Low | Missing x-xss-protection header | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 13 | Programming Language | N/A | Info | PHP | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 14 | Csp Header Analysis | N/A | Info | Misconfigured | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
| 15 | X Frame Options | N/A | Info | Properly Configured | Update to the latest version of the software or apply the latest security patches provided by the vendor. |
Scan Test Cases
| Sr. No | Test Case |
|---|---|
| 1 | Inline Connection |
| 2 | Ip-Address |
| 3 | Cloud_Provider |
| 4 | Server Disclosure |
| 5 | Technology Disclosure |
| 6 | Cms Detection |
| 7 | Mixed Content Analysis |
| 8 | Operating-System |
| 9 | Open Ports Scan |
| 10 | Database |
| 11 | Javascript Libraries |
| 12 | Secure Connection Check |
| 13 | Directories Listing Exposed |
| 14 | Password Exposing Pages |
| 15 | Missing Security Headers |
| 16 | Missing Content-Security-Policy |
| 17 | Missing Strict-Transport-Security |
| 18 | Missing Referrer-Policy |
| 19 | Missing X-Content-Type-Options |
| 20 | Missing Cookie http flag |
| 21 | Missing Cookie secure flag |
| 22 | Secret Files Detection |
| 23 | Security File Detection |
| Sr. No | Test Case |
|---|---|
| 24 | WAF-Detection |
| 25 | SSL Certificate Validation |
| 26 | Loose Cookie Domain |
| 27 | CSP Header Analysis |
| 28 | OpenAPI Disclosure |
| 29 | Password Leak Detection |
| 30 | Path Disclosure |
| 31 | Error Messages Analysis |
| 32 | Rate Limit Headers |
| 33 | Email Extraction |
| 34 | Xml-RPC Endpoint Detection |
| 35 | HTTP Methods Allowed |
| 36 | Enabled Debug Method |
| 37 | Enabled OPTIONS Method |
| 38 | Cross-Domain Inclusion |
| 39 | File Upload Detection |
| 40 | Client Access Policies |
| 41 | X-FRAME OPTIONS |
| 42 | X-XSS PROTECTION |
| 43 | .htaccess Exposure |
| 44 | Captcha Detection |
| 45 | Password field with autocomplete |
| 46 | DKIM |
| 47 | SPF |
| 48 | DMARC |
| 49 | Host Header Injection |
| 50 | Unencrypted Viewstate |
Raw JSON Response
{
"host": "josaa.nic.in",
"host_url": "https://josaa.nic.in/",
"task_id": "1bf214b3-1990-49d0-abe8-523e64f73e1b",
"status": "COMPLETED",
"inline_connection": "Yes",
"original_header": {
"Date": "Sun, 01 Mar 2026 01:02:13 GMT",
"Content-Type": "text/html; charset=UTF-8",
"Content-Length": "22637",
"Connection": "keep-alive",
"Cache-Control": "max-age=3, must-revalidate",
"Content-Encoding": "gzip",
"Vary": "Accept-Encoding",
"X-Varnish": "80298163 80014376",
"Age": "635",
"X-Cache": "HIT",
"X-Cache-Hits": "1",
"Accept-Ranges": "bytes",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"Expect-CT": "enforce,max-age=2592000",
"Referrer-Policy": "strict-origin-when-cross-origin, strict-origin-when-cross-origin",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "SAMEORIGIN",
"Content-Security-Policy": "img-src 'self' *.google-analytics.com img.youtube.com *.s3waas.gov.in secure.gravatar.com *.twimg.com *.twitter.com translation-plugin.bhashini.co.in data:;connect-src 'self' *.s3waas.gov.in *.google-analytics.com translation-plugin.bhashini.co.in dhruva-api.bhashini.gov.in;object-src 'none';media-src 'self' *.s3waas.gov.in data:;child-src 'self';frame-src 'self' www.google.com platform.twitter.com www.facebook.com syndication.twitter.com www.youtube.com;form-action *.s3waas.gov.in 'self';frame-ancestors 'self' *.s3waas.gov.in ;upgrade-insecure-requests;worker-src 'self' *.s3waas.gov.in data:",
"Permissions-Policy": "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(\"https://www.facebook.com\" self),encrypted-media=(),execution-while-not-rendered=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(\"https://www.youtube.com\"),gamepad=(),geolocation=(),magnetometer=(),gyroscope=(),magnetometer=(),layout-animations=(),legacy-image-formats=(self),microphone=(),midi=(),navigation-override=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),vibrate=(),vr=(),screen-wake-lock=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
},
"ip_address": "164.100.50.244",
"hosting_provider": null,
"registrar": null,
"cms": {
"WordPress": "."
},
"cms_cve": null,
"server": null,
"server_disclosure_cve": null,
"programming_language": "PHP",
"technology_disclosure_cve": null,
"mixed_content_analysis": {
"Source": [
"http://gmpg.org/xfn/11"
],
"Mixed content (HTTP on HTTPS)": {
"issue": "Mixed content (HTTP on HTTPS)",
"severity": "High",
"cwe_id": "CWE-319",
"cwe_description": "Sensitive information may be sent over unencrypted channels when HTTP assets load on an HTTPS page.",
"fix": "Ensure all assets (JS, CSS, images) load using HTTPS only."
}
},
"operating_system": null,
"open_ports": [
"443",
"80"
],
"database_technology": null,
"javascript_libraries": [
{
"jquery": {
"version": "3.6.4",
"source": "https://josaa.nic.in/wp-content/themes/sdo-theme/js/jquery.min.js?ver=3.6.4"
},
"jquery_migrate": {
"version": "3.4.1",
"source": "https://josaa.nic.in/wp-content/themes/sdo-theme/js/jquery-migrate.min.js?ver=3.4.1"
},
"jquery_ui": {
"version": "3.6.4",
"source": "https://josaa.nic.in/wp-content/themes/sdo-theme/js/core.min.js?ver=3.6.4"
},
"fancybox": {
"version": "2.1.5",
"source": "https://josaa.nic.in/wp-content/themes/sdo-theme/js/jquery.fancybox.js?ver=1.1"
}
}
],
"javascript_libraries_cve": {
"jquery-3.6.4": [
{
"Id": "CVE-2007-2379",
"CWE": "CWE-200",
"Published": "2007-04-30T23:19:00",
"Description": "The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"",
"Score": 5.0,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2011-4969",
"CWE": "CWE-79",
"Published": "2013-03-08T22:55:01",
"Description": "Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.",
"Score": 4.3,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2014-6071",
"CWE": "CWE-79",
"Published": "2018-01-16T19:29:00",
"Description": "jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.",
"Score": 6.1,
"Severity": "MEDIUM"
},
{
"Id": "CVE-2016-10707",
"CWE": "CWE-674",
"Published": "2018-01-18T23:29:00",
"Description": "jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.",
"Score": 7.5,
"Severity": "HIGH"
},
{
"Id": "CVE-2018-18405",
"CWE": "CWE-79",
"Published": "2020-04-22T18:15:10",
"Description": "jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry",
"Score": 6.1,
"Severity": "MEDIUM"
}
],
"jquery-ui-3.6.4": [
{
"Id": "CVE-2012-6662",
"CWE": "CWE-79",
"Published": "2014-11-24T16:59:01",
"Description": "Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.",
"Score": 4.3,
"Severity": "MEDIUM"
}
]
},
"secure_connection": "Yes",
"directory_listing": null,
"passwords_submitted_unencrypted": null,
"missing_security_headers": [
"X-XSS-PROTECTION",
"X-PERMITTED-CROSS-DOMAIN"
],
"missing_content_security_policy_header": null,
"missing_strict_transport_security_header": null,
"missing_referrer_policy_header": null,
"missing_x_content_type_options_header": null,
"missing_httponly_flag_in_cookies": {
"issue": "Missing HttpOnly flag in cookies",
"severity": "High",
"cwe_id": "CWE-1004",
"cwe_description": "Cookies accessible by JavaScript can be stolen via XSS.",
"fix": "Set the HttpOnly flag to prevent client-side script access."
},
"missing_secure_flag_in_cookies": {
"issue": "Missing Secure flag in cookies",
"severity": "High",
"cwe_id": "CWE-614",
"cwe_description": "Cookies without the Secure flag may be sent over unencrypted connections.",
"fix": "Enable the Secure flag for all session or sensitive cookies."
},
"secret_files_detection": [
"https://josaa.nic.in/robots.txt"
],
"robots_txt_file_found": null,
"waf_detection": null,
"ssl_certificate": "Certificate is valid",
"loose_cookie_domain": null,
"csp_header_analysis": "Misconfigured",
"openapi_disclosure": null,
"password_leakage": null,
"error_messages_analysis": null,
"path_disclosure": null,
"rate_limit_headers": {
"issue": "Missing Rate Limit header",
"severity": "Medium",
"cwe_id": "CWE-770",
"cwe_description": "Improper control of resource consumption may enable brute-force or DoS attacks.",
"fix": "Implement rate limiting and add headers such as 'X-RateLimit-Limit' and 'Retry-After'."
},
"email_extraction": null,
"xml_rpc_endpoint_detection": null,
"http_methods_allowed": null,
"enabled_debug_method": "No",
"enabled_options_method": "No",
"cross_domain_inclusion": [
"www.googletagmanager.com",
"gmpg.org",
"cdnbbsr.s3waas.gov.in"
],
"file_upload": null,
"client_access_policies": null,
"x_frame_options": "Properly Configured",
"x_xss_protection": "Missing x-xss-protection header",
"htaccess_exposure": null,
"host_header_injection": null,
"captcha_detection": null,
"password_field_with_autocomplete": null,
"spf": null,
"dmarc": null,
"dkim": null,
"unencrypted_viewstate": null,
"total_scans": [
"Inline Connection",
"Ip-Address",
"Cloud_Provider",
"Server Disclosure",
"Technology Disclosure",
"Cms Detection",
"Mixed Content Analysis",
"Operating-System",
"Open Ports Scan",
"Database",
"Javascript Libraries",
"Secure Connection Check",
"Directories Listing Exposed",
"Password Exposing Pages",
"Missing Security Headers",
"Missing Content-Security-Policy",
"Missing Strict-Transport-Security",
"Missing Referrer-Policy",
"Missing X-Content-Type-Options",
"Missing Cookie http flag",
"Missing Cookie secure flag",
"Secret Files Detection",
"Security File Detection",
"WAF-Detection",
"SSL Certificate Validation",
"Loose Cookie Domain",
"CSP Header Analysis",
"OpenAPI Disclosure",
"Password Leak Detection",
"Path Disclosure",
"Error Messages Analysis",
"Rate Limit Headers",
"Email Extraction",
"Xml-RPC Endpoint Detection",
"HTTP Methods Allowed",
"Enabled Debug Method",
"Enabled OPTIONS Method",
"Cross-Domain Inclusion",
"File Upload Detection",
"Client Access Policies",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
".htaccess Exposure",
"Captcha Detection",
"Password field with autocomplete",
"DKIM",
"SPF",
"DMARC",
"Host Header Injection",
"Unencrypted Viewstate"
],
"executive_summary": {
"Total Checks Passed": 22,
"Passed Cases": [
"Secure Connection",
"Directory Listing Exposed",
"Missing Content-Security-Policy header",
"Missing Strict-Transport-Security header",
"Missing Referrer-Policy header",
"Missing X-Content-Type-Options header",
"SSL Certificate",
"Loose cookie domain",
"OpenAPI Disclosure",
"Password Leakage",
"Error Messages Analysis",
"Path Disclosure",
"Emails exposed",
" Not Enabled Debug Method",
"Not Enabled OPTIONS Method",
"File Upload Detection",
"Client Access Policies",
".htaccess Exposure",
"Host Header Injection",
"SPF",
"DMARC",
"DKIM"
],
"Total Checks Failed": 19,
"Failed Cases": [
"Technology Disclosure",
"Mixed Content (HTTP on HTTPS)",
"Open Ports Scan",
"Javascript Libraries",
"Passwords submitted unencrypted",
"Missing Security Headers",
"Missing HttpOnly flag in cookies",
"Missing Secure flag in cookies",
"Secret Files Detection",
"robots.txt file found",
"security.txt file not found",
"WAF Detection",
"Rate Limit Headers",
"Cross-Domain Inclusion",
"X-FRAME OPTIONS",
"X-XSS PROTECTION",
"Captcha checking",
"Password field with autocomplete",
"Unencrypted Viewstate"
],
"Total CWEs Found": 4
},
"total_scan_time": "21.28 seconds",
"scan_start_timestamp": "2026-03-01 01:02:12"
}
Other Security Tools
Explore our comprehensive suite of security testing tools