•        SSL/TLS Mis-configuration [1 issue]
Description: SSL/TLS mis-configuration exists on the target's web server. The configuration can not secure the communication between browser and server well.
Issues:
1.  Target URL does not appear to support SSL.
Advice:
1.  Enable SSL for your site, or at least make sure the urls which transmit sensitive data are only accessible through secure HTTPS connections.
Reference:
OWASP - https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)


•        Anti-reflection(XSS) [all urls]
Description: It appears that your site does not use the X-XSS-PROTECTION header to mitigate reflected XSS attacks.
Affected URLs: All URLs in the sitemap.
Advice: Implement X-XSS-PROTECTION header.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

•        Strict MIME Type [11 urls]
Description: MIME type mismatch found or nosniff header missed. Some browsers will automatically switch to using an interpreter for the real content type. This increases exposure to XSS attack.
Affected URLs:
URLs without nosniff response header. Number of pages: 11
GET request for http://10.34.33.46:8080/
GET request for http://10.34.33.46:8080/eap.css
GET request for http://10.34.33.46:8080/images/product_title.png
GET request for http://10.34.33.46:9990/console/App.html
GET request for http://10.34.33.46:9990/console/app/app.nocache.js
GET request for http://10.34.33.46:9990/console/app/font/font-awesome.css
GET request for http://10.34.33.46:9990/console/app/js/protovis-3.2-PATCHED/protovis-d3.2-PATCHED-COMPRESSED.js
GET request for http://10.34.33.46:9990/console/app/lab.css
GET request for http://10.34.33.46:9990/console/app/workbench.css
GET request for http://10.34.33.46:9990/console/images/loading_lite.gif
GET request for http://10.34.33.46:9990/console/index.html
Advice: Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.
References:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers
CAPEC-209 - http://capec.mitre.org/data/definitions/209.html

•        Frame busting [1 url]
Description: Use multiple transparent or opaque layers to trick users into clicking on another page when they were intending to click on the the top level page.
Affected URLs:
http://10.34.33.46:8080/
Advice: Send the x-frame-options: deny/sameorigin response header to prevent framing from other domains.
Reference:
OWASP - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

A whole url list of the scanned target. Number of pages:18

• http://10.34.33.46/
  
• http://10.34.33.46/eap.css
  
• http://10.34.33.46/images/
  
• http://10.34.33.46/images/product_title.png
  
• http://10.34.33.46/console/
  

• http://10.34.33.46/console/index.html
• http://10.34.33.46/console/App.html
  
• http://10.34.33.46/console/app/
  
• http://10.34.33.46/console/app/app.nocache.js
  
• http://10.34.33.46/console/app/js/
  
• http://10.34.33.46/console/app/js/protovis-3.2-PATCHED
  
• http://10.34.33.46/console/app/js/protovis-3.2-PATCHEDprotovis-d3.2-PATCHED-COMPRESSED.js
  
• http://10.34.33.46/console/app/font/
  
• http://10.34.33.46/console/app/font/font-awesome.css
  
• http://10.34.33.46/console/app/workbench.css
  
• http://10.34.33.46/console/app/lab.css
  
• http://10.34.33.46/console/images/
  
• http://10.34.33.46/console/images/loading_lite.gif