Result

ZAP Scanning Report
Sites: https://ajax.googleapis.com https://platform.twitter.com https://sintala.kemnaker.go.id

Generated on Fri, 1 Jul 2022 06:23:25
Summary of Alerts
Risk Level Number of Alerts
High 0
Medium 6
Low 7
Informational 1
False Positives: 0
Alerts
Name Risk Level Number of Instances
Absence of Anti-CSRF Tokens Medium 35

CSP: Wildcard Directive Medium 26
CSP: script-src unsafe-inline Medium 26
CSP: style-src unsafe-inline Medium 26
Missing Anti-clickjacking Header Medium 7
Vulnerable JS Library Medium 2
Application Error Disclosure Low 1
CSP: Notices Low 26
Cookie Without Secure Flag Low 3
Cookie without SameSite Attribute Low 3
Cross-Domain JavaScript Source File Inclusion Low 86
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Low 102
X-Content-Type-Options Header Missing Low 16
Re-examine Cache-control Directives Informational 9
Alert Detail
Medium Absence of Anti-CSRF Tokens

Description No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to
perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack
is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS,
CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused
deputy, and sea surf.
CSRF attacks are effective in a number of situations, including:
* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.
* The victim is on the same local network as the target site.
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose
information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS
can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
URL https://sintala.kemnaker.go.id
Method GET
Parameter
Attack
Evidence <form action="https://sintala.kemnaker.go.id/index.php/home/cari" method="POST" id="cariFormData" class="search-box" >
URL https://sintala.kemnaker.go.id/
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/assets/publik/about.html
Method GET
Parameter
Attack
Evidence <form action="#error" method="GET" class="search-box">
URL https://sintala.kemnaker.go.id/assets/publik/contact.html
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Evidence <form action="https://sendmail.w3layouts.com/submitForm" method="post" class="cont-form p-sm-5">
URL https://sintala.kemnaker.go.id/assets/publik/services.html
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/index
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/subinstansi/3
Method GET
Parameter
Attack
Evidence <form action="https://sintala.kemnaker.go.id/index.php/home/subinstansi/3" method="GET" class="search-box" >
URL https://sintala.kemnaker.go.id/index.php/home/subinstansi/3/216
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/subinstansi/3?keyword=ZAP
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/subinstansi/image-path
Method GET
Parameter
Attack
Evidence <form action="https://sintala.kemnaker.go.id/index.php/home/subinstansi/image-path" method="GET" class="search-box" >
URL https://sintala.kemnaker.go.id/index.php/home/subinstansi/index.html
Method GET
Parameter
Attack
Evidence <form action="https://sintala.kemnaker.go.id/index.php/home/subinstansi/index.html" method="GET" class="search-box" >
Instances 35
Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, use anti-CSRF packages such as the OWASP CSRFGuard.
Phase: Implementation
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
Phase: Architecture and Design
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable
(CWE-330).
Note that this can be bypassed using XSS.

Solution
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended
to perform that operation.
Note that this can be bypassed using XSS.
Use the ESAPI Session Management control.
This control includes a component for CSRF.
Do not use the GET method for any request that triggers a state change.
Phase: Implementation
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may
have disabled sending the Referer for privacy reasons.
http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
http://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Plugin Id 10202
Medium CSP: Wildcard Directive

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site
Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set
Description
of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered
types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Method GET
Parameter
Attack
Evidence default-src 'self' style-src 'self' 'unsafe-inline';
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/diklat
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/download
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/informasi
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/struktur_organisasi
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/tentang_kami
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/tugas_pokok_dan_fungsi
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/visi_misi
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/statistik_instruktur_pemerintah_1
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/statistik_instruktur_swasta_1
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/statistik_tenaga_pelatihan_pemerintah_3
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/statistik_tenaga_pelatihan_swasta_3
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Instances 26
Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
http://www.w3.org/TR/CSP2/
http://www.w3.org/TR/CSP/
http://caniuse.com/#search=content+security+policy
Reference
http://content-security-policy.com/
https://github.com/shapesecurity/salvation
https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium CSP: script-src unsafe-inline

Description
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Instances 26
Reference
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium CSP: style-src unsafe-inline

Description
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Instances 26
Reference http://www.w3.org/TR/CSP2/
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium Missing Anti-clickjacking Header

Description The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
URL https://sintala.kemnaker.go.id/assets/
Method GET
Parameter X-Frame-Options
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/index.html
Method GET
Attack
Evidence
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/
Method GET
Attack
Evidence
Instances 7
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your
site/app.
Solution
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020
Medium Vulnerable JS Library

Description The identified library jquery, version 3.1.0 is vulnerable.
URL https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js
Method GET
Parameter
Attack
Evidence /3.1.0/jquery.min.js
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/jquery-3.3.1.min.js
Method GET
Parameter
Attack
Evidence jquery-3.3.1.min.js
Instances 2
Solution Please upgrade to the latest version of jquery.
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
Reference
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
CWE Id 829
WASC Id
Plugin Id 10003
Low Application Error Disclosure

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This
Description information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a
documentation page.
URL https://sintala.kemnaker.go.id/index.php/home/profile/
Method GET
Parameter
Attack
Evidence HTTP/1.1 500 Internal Server Error
Instances 1
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the
Solution
client (browser) while logging the details on the server side and not exposing them to the user.
Reference
CWE Id 200
WASC Id 13
Plugin Id 90022
Low CSP: Notices

Description
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Instances 26
Reference
CWE Id 693
WASC Id 15
Plugin Id 10055
Low Cookie Without Secure Flag

Description A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
Method GET
Parameter ci_session_sintala
Attack
Evidence Set-Cookie: ci_session_sintala
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/login
Method GET
Attack
Instances 3
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag
Solution
is set for cookies containing such sensitive information.
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-
Reference
Testing_for_Cookies_Attributes.html
CWE Id 614
WASC Id 13
Plugin Id 10011
Low Cookie without SameSite Attribute
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an
Description
effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
Method GET
Attack
Method GET
Attack
Method GET
Attack
Instances 3
Solution Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
CWE Id 1275
WASC Id 13
Plugin Id 10054
Low Cross-Domain JavaScript Source File Inclusion

Description The page includes one or more script files from a third-party domain.
Method GET
Parameter https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js
Attack
Evidence <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
Method GET
Parameter https://platform.twitter.com/widgets.js
Attack
Evidence <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
URL https://sintala.kemnaker.go.id/index.php/home/blog/101/pembukaan-diklat-dasar-instruktur-blk-komunitas
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/blog/108/pembukaan-pelatihan-tenaga-pelatihan-blk-komunitas-angakatan-vi-s.d-x-tahun-2022-di-belezza-hotel-
jakarta
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/blog/110/kerjasama-antara-kementrian-ketenagakerjaan-ri-dengan-pt.huawei-tech-investement
Method GET
Attack
Method GET
Attack
Method GET
Parameter https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Attack
Evidence <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
Method GET
Attack
Method GET
Attack
Method GET
Parameter https://platform.twitter.com/widgets.js
Attack
Evidence <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/news
Method GET
Attack
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/049a52fb-5679-4d54-a3c0-28dc1b3f2dea
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/054d9e76-8667-41ef-af80-4af191914a97
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/16650a62-c351-4e38-99c9-45db0ae6ed65
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/21bea4e6-3e79-43f3-b664-d24732aeec08
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/23c72fe2-c671-42c1-abba-a2247c79ebaf
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/3109ae0f-c46b-4925-aaec-9013ecff641c
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/332b8bd1-12a4-4c5d-a756-4a4fe017e9cb
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/36d0ecac-4c74-47ed-9b39-2b3c44cf9e87
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/5ed870ea-16ae-41c2-b6e3-4917bb029ed0
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/612c616e-7f8f-4f89-8881-c985e2acd51c
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/669ed336-84c5-49a0-8b51-a6ecf3ac5abe
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/6c6f1cd1-60ac-4761-9003-a90adec33b94
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/74bb855b-2a36-48ac-a2a1-a1f3ce3066da
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/7566e772-da44-455c-917f-b53b3d989e6b
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8bd255d4-c193-4fac-8bbf-92ddf47c88ad
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8cfe163e-154b-4afb-be1e-bff32195b2cd
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/96c484ad-01bd-4bb5-abae-a8a13a61fe70
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/9e7395d3-c32b-439f-8ee9-900f435757b9
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/a587654d-5c8d-4e0d-8011-42f76f2f0e16
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/b90df16c-0d62-4794-af9a-dab678303313
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/bb7a6113-741e-44bc-b23b-d4c7c386f184
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/bdc179f2-ec7e-4ab5-b5b1-92bcf6146efc
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/cc8b4d05-3f34-4a84-845d-8d990f9bd271
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/d0c52ea1-7533-4f32-b97a-1ef5879323e2
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/f96d0634-5aaa-4492-a9ad-12919b557a6a
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
Method GET
Attack
URL https://sintala.kemnaker.go.id/index.php/home/cari
Method POST
Attack
Instances 86
Solution Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
Reference
CWE Id 829
WASC Id 15
Plugin Id 10017
Low Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers
Description
identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/7.3.31
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/blog-single
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/blog/101/pembukaan-diklat-dasar-instruktur-blk-komunitas
Method GET
Parameter
Attack
https://sintala.kemnaker.go.id/index.php/home/blog/108/pembukaan-pelatihan-tenaga-pelatihan-blk-komunitas-angakatan-vi-s.d-x-tahun-2022-di-belezza-hotel-
URL
jakarta
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/blog/110/kerjasama-antara-kementrian-ketenagakerjaan-ri-dengan-pt.huawei-tech-investement
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/image-path
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/index.html
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/02890eb3-0198-4ee6-a3df-cc185f3d1627
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/049a52fb-5679-4d54-a3c0-28dc1b3f2dea
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/054d9e76-8667-41ef-af80-4af191914a97
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/0939db1e-8f68-4fa5-9aa4-cf3ebb2aae6a
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/093c3280-df50-4209-9694-f5d183db406b
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/0e202557-449e-4591-9808-75d379484d09
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/0f3cfa15-4e50-4333-9981-942df932414c
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/1263f2ab-d269-452f-8e5f-c630bb8d089a
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/16650a62-c351-4e38-99c9-45db0ae6ed65
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/21bea4e6-3e79-43f3-b664-d24732aeec08
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/23c72fe2-c671-42c1-abba-a2247c79ebaf
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/24e2cebe-814c-45df-b80d-1683b2d47a4a
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/3109ae0f-c46b-4925-aaec-9013ecff641c
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/3304138e-465c-4264-a14b-0d1ef52e2acd
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/332b8bd1-12a4-4c5d-a756-4a4fe017e9cb
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/34fab50b-eedc-43c8-91a8-1ae0e7aa98e0
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/36d0ecac-4c74-47ed-9b39-2b3c44cf9e87
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/39f61f2e-4d73-45f7-9bd9-200028e6820d
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/4360e2a2-928b-463b-9591-293acd7e4c70
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/4ea3b825-3ac4-4927-beea-967d27cc5faa
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/5ed870ea-16ae-41c2-b6e3-4917bb029ed0
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/612c616e-7f8f-4f89-8881-c985e2acd51c
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/669ed336-84c5-49a0-8b51-a6ecf3ac5abe
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/6c6f1cd1-60ac-4761-9003-a90adec33b94
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/74bb855b-2a36-48ac-a2a1-a1f3ce3066da
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/7566e772-da44-455c-917f-b53b3d989e6b
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8132ea66-309b-411d-a639-4feb067d3edd
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8bd255d4-c193-4fac-8bbf-92ddf47c88ad
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8cfe163e-154b-4afb-be1e-bff32195b2cd
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/8ea53c70-4647-4041-aee2-fd23fcbfd325
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/96c484ad-01bd-4bb5-abae-a8a13a61fe70
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/9ab42f00-a1c5-4525-8b1d-9302f3127ff2
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/9e7395d3-c32b-439f-8ee9-900f435757b9
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/a587654d-5c8d-4e0d-8011-42f76f2f0e16
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/b90df16c-0d62-4794-af9a-dab678303313
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/bb7a6113-741e-44bc-b23b-d4c7c386f184
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/bdc179f2-ec7e-4ab5-b5b1-92bcf6146efc
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/c5b2cc65-f464-45e6-9de5-7ed79acc1e62
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/cc8b4d05-3f34-4a84-845d-8d990f9bd271
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/cd864ed9-2dda-473a-894a-12414801471f
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/d0c52ea1-7533-4f32-b97a-1ef5879323e2
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/e26e008e-ed3c-4635-be7c-c393564c0984
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/f6c5fa6c-c98a-439c-8097-24a2a21a1d66
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/f6deccb1-3163-422b-b37d-376e89bae836
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/f96d0634-5aaa-4492-a9ad-12919b557a6a
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/profile/fad375a2-fd6d-4af3-93cd-41fd0552c5e3
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/image-path
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/homex/index.html
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://sintala.kemnaker.go.id/index.php/home/cari
Method POST
Parameter
Attack
Instances 102
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx
Reference
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10037
Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-
Description sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Method GET
Parameter X-Content-Type-Options
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/bootstrap.min.js
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/counter.js
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/jquery-3.3.1.min.js
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/jquery.magnific-popup.min.js
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/publik/assets/js/theme-change.js
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/39851-format-surat-pernyataan-dikdas-2020.docx
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/93272-formulir-portofolio-inpassing-format-permenaker-2018.doc
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/9721d-perpres_no_58_2007.doc
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/e98b7-b.-materi-sosialisasi-kkni-vii-bergi.pptx
Method GET
Attack
Evidence
Instances 16
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web
pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by
the web application/web server to not perform MIME-sniffing.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021
Informational Re-examine Cache-control Directives

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files
Description
this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
Method GET
Parameter Cache-Control
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/39851-format-surat-pernyataan-dikdas-2020.docx
Method GET
Attack
Evidence
URL https://sintala.kemnaker.go.id/assets/uploads/download/e98b7-b.-materi-sosialisasi-kkni-vii-bergi.pptx
Method GET
Attack
Evidence
Instances 9
Whenever possible ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the
Solution
directives "public, max-age, immutable".
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
CWE Id 525
WASC Id 13
Plugin Id 10015

Result

Uploaded by

Copyright:

Available Formats

Result

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Result

Uploaded by

Copyright:

Available Formats

ZAP Scanning Report

Sites: https://ajax.googleapis.com https://platform.twitter.com https://sintala.kemnaker.go.id

Risk Level Number of Alerts

Name Risk Level Number of Instances

Absence of Anti-CSRF Tokens Medium 35

Medium Absence of Anti-CSRF Tokens

CSRF attacks are effective in a number of situations, including:

* The victim has an active session on the target site.

* The victim is on the same local network as the target site.

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

Phase: Architecture and Design

Note that this can be bypassed using XSS.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Medium CSP: Wildcard Directive

Medium CSP: script-src unsafe-inline

Medium CSP: style-src unsafe-inline

Medium Missing Anti-clickjacking Header

Medium Vulnerable JS Library

Low Application Error Disclosure

Low CSP: Notices

Low Cookie Without Secure Flag

Low Cross-Domain JavaScript Source File Inclusion

Low X-Content-Type-Options Header Missing

Informational Re-examine Cache-control Directives

You might also like