Analisis cara pentest website dan tindak lanjut

(Senin, 14/02/22)

melakukan proses perbaikan website cirebon.kemenag.go.id

hasil analisis dari pentest

1. menunggu hasil tindak lanjut dari tim pusat
2. berkesinambungan memperbaiki program pada lokalhost
3. berkesinambungan mengecek website
4. sharing bersama tim

Analisis pentest

Cirebon Pentest Report

Generated with ZAP on Mon 14 Feb 2022, at 09:27:28

Contents

1. About this report
   1. Report parameters
2. Summaries
   1. Alert counts by risk and confidence
   2. Alert counts by site and risk
   3. Alert counts by alert type
3. Alerts
   1. Risk=Low, Confidence=Medium (2)
   2. Risk=Low, Confidence=Low (1)
   3. Risk=Informational, Confidence=Low (2)
4. Appendix
   1. Alert types

About this report

Report parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

• https://cirebon.kemenag.go.id
• http://cirebon.kemenag.go.id

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

		Confidence
		User Confirmed	High	Medium	Low	Total
Risk	High	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)
	Medium	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)
	Low	0 (0.0%)	0 (0.0%)	2 (40.0%)	1 (20.0%)	3 (60.0%)
	Informational	0 (0.0%)	0 (0.0%)	0 (0.0%)	2 (40.0%)	2 (40.0%)
	Total	0 (0.0%)	0 (0.0%)	2 (40.0%)	3 (60.0%)	5 (100%)

Alert counts by site and risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

		Risk
		High (= High)	Medium (>= Medium)	Low (>= Low)	Informational (>= Informational)
Site	https://cirebon.kemenag.go.id	0 (0)	0 (0)	1 (1)	1 (2)
	http://cirebon.kemenag.go.id	0 (0)	0 (0)	2 (2)	1 (3)

Alert counts by alert type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

Alert type	Risk	Count
Absence of Anti-CSRF Tokens	Low	128 (2,560.0%)
Incomplete or No Cache-control Header Set	Low	150 (3,000.0%)
Timestamp Disclosure - Unix	Low	69 (1,380.0%)
Charset Mismatch	Informational	24 (480.0%)
Information Disclosure - Suspicious Comments	Informational	10 (200.0%)
Total		5

Alerts

1. Risk=Low, Confidence=Medium (2)

   1. https://cirebon.kemenag.go.id (1)

      1. Incomplete or No Cache-control Header Set (1)

         1. GET https://cirebon.kemenag.go.id/

   2. http://cirebon.kemenag.go.id (1)

      1. Absence of Anti-CSRF Tokens (1)

         1. GET http://cirebon.kemenag.go.id

2. Risk=Low, Confidence=Low (1)

   1. http://cirebon.kemenag.go.id (1)

      1. Timestamp Disclosure - Unix (1)

         1. GET http://cirebon.kemenag.go.id

3. Risk=Informational, Confidence=Low (2)

   1. https://cirebon.kemenag.go.id (1)

      1. Charset Mismatch (1)

         1. GET https://cirebon.kemenag.go.id/index.php?format=xml&rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fcirebon.kemenag.go.id%2F%3Fpage_id%3D49

   2. http://cirebon.kemenag.go.id (1)

      1. Information Disclosure - Suspicious Comments (1)

         1. GET http://cirebon.kemenag.go.id/wp-content/themes/corponotch/assets/js/html5.min.js?ver=3.7.3

Appendix

Alert types

This section contains additional information on the types of alerts in the report.

1. Absence of Anti-CSRF Tokens

   Source	raised by a passive scanner (Absence of Anti-CSRF Tokens)
   CWE ID	352
   WASC ID	9
   Reference	http://projects.webappsec.org/Cross-Site-Request-Forgery http://cwe.mitre.org/data/definitions/352.html

2. Incomplete or No Cache-control Header Set

   Source	raised by a passive scanner (Incomplete or No Cache-control Header Set)
   CWE ID	525
   WASC ID	13
   Reference	https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

3. Timestamp Disclosure - Unix

   Source	raised by a passive scanner (Timestamp Disclosure)
   CWE ID	200
   WASC ID	13
   Reference	http://projects.webappsec.org/w/page/13246936/Information%20Leakage

4. Charset Mismatch

   Source	raised by a passive scanner (Charset Mismatch)
   CWE ID	436
   WASC ID	15
   Reference	http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection

5. Information Disclosure - Suspicious Comments

   Source	raised by a passive scanner (Information Disclosure - Suspicious Comments)
   CWE ID	200
   WASC ID	13

aziz ahlaf

Kita hanya berbeda cara dalam memilih dosa

Share this post

Related Posts