Mixed Content Image FAIL
Image loaded over plain HTTP:
This page contains a mix of secure and insecure elements for testing security scanners.
| Check | Expected | Why |
|---|---|---|
| X-Content-Type-Options | PASS | Header set to nosniff |
| Referrer-Policy | PASS | Header set to strict-origin-when-cross-origin |
| Permissions-Policy | PASS | Restrictive policy set |
| Subresource Integrity | PASS | SRI hash on normalize.css |
| HTTPS (page itself) | PASS | Served over HTTPS by Cloudflare |
| Content-Security-Policy | FAIL | No CSP header set |
| Strict-Transport-Security | FAIL | No HSTS header set |
| X-Frame-Options | FAIL | No clickjacking protection |
| Mixed Content | FAIL | jQuery loaded over HTTP |
| Inline Scripts | FAIL | Inline <script> block present |
| CSRF Protection | FAIL | Login form has no CSRF token |
| Secure Cookies | FAIL | session_prefs cookie missing Secure/HttpOnly |
| Open Redirect | FAIL | /redirect?url= accepts arbitrary URLs |
| Information Disclosure | FAIL | /api/info exposes server details |
| Autocomplete on Password | FAIL | Password field has autocomplete="on" |
| DOM XSS | FAIL | location.hash written to innerHTML unsanitised |
| HTTP Response Splitting | FAIL | ?lang= reflected into Set-Cookie and Content-Language headers without CR/LF filtering |
| IFrame Sandbox Attribute | FAIL | <iframe> embedded below has no sandbox attribute, so framed content runs with full privileges |
| Permissive CORS on font | FAIL | /security/fonts/leaky.woff serves Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true — universal cross-origin access to a font resource |
| Leaked secrets in JS | FAIL | /security/js/leaked-secrets.js ships hard-coded Stripe / AWS / GitHub / Slack / Google API tokens that match nuclei's keys,tokens regexes |
| Fake WordPress install | FAIL | /security/wordpress mimics WordPress 5.4.2 with vulnerable plugins, exposed config backup, user enumeration, xmlrpc pingback, debug.log, etc. |
| webpack.stats.json exposed | FAIL | /webpack.stats.json exposes the full webpack --json dump — CI build path, internal module tree, chunk graph, and webpack version (probe-only; not linked) |
| Gatsby version disclosure | FAIL | /page-data/app-data.json leaks gatsbyVersion (CVE pivot) and the webpack compilation hash (probe-only; not linked) |
| JavaScript source map exposed | FAIL | /security/js/webpack-runtime-8f2a1c9d7e3b4a6f0d2e.js.map ships full sourcesContent, leaking un-minified source incl. a hard-coded internal API token (probe-only; not linked) |
No CSRF token. Password field allows autocomplete.
Image loaded over plain HTTP:
Image loaded over HTTPS:
The /redirect?url= endpoint redirects to any URL without validation:
The /api/info endpoint exposes internal server details:
The ?lang= query parameter is reflected unsanitised into both the
Set-Cookie (preferred_lang=...) and Content-Language
response headers. Injecting CR/LF (%0d%0a) lets an attacker inject arbitrary
headers or split a second HTTP response.
Current value: en
The <iframe> below embeds another page with no sandbox
attribute, so the framed document runs with full privileges (scripts, forms,
same-origin, top-navigation, popups). Scanners flag this as
"IFrame Sandbox Attribute Not Implemented".
The font referenced below is served from
/security/fonts/leaky.woff
with Access-Control-Allow-Origin: * and
Access-Control-Allow-Credentials: true, allowing any origin to
read the font cross-origin with credentials. Scanners flag this as
"Permissive Cross-Origin Resource Sharing (CORS) Allows Universal Access".
Sample text rendered with the leaky font.
The script at
/security/js/leaked-secrets.js
contains hard-coded Stripe, AWS, GitHub, Slack, and Google API tokens
matching the patterns nuclei's keys,tokens templates look
for. Because the file is served from the same origin as this page, the
cross-origin filter in secrets-scanning pipelines lets it through and
the keys/tokens rules fire.
The subpage at /security/wordpress
masquerades as a WordPress 5.4.2 site so that scanners running tech-fingerprint
templates pick it up as WordPress and follow up with WP-specific vulnerability
checks. It serves the standard WP fingerprints (generator meta,
wp-json REST API discovery, wlwmanifest, RSD,
wp-emoji, wp-block-library CSS, twentytwentyone theme)
and exposes the usual WP attack surface — wp-login.php,
wp-admin/, xmlrpc.php, wp-json/wp/v2/users,
wp-content/uploads/, wp-content/debug.log,
wp-config.php.bak, ?author=1, readme.html,
and outdated plugin readmes (Contact Form 7, RevSlider, WP File Manager).
This page is dressed up to look like a production Gatsby (webpack) build with debug artifacts left behind. These paths are not linked anywhere — real sites never announce them. Scanners find them by probing the exact, well-known paths directly:
/webpack.stats.json —
the full webpack --json stats dump. Exposes the absolute
CI build path (/home/deploy/ci/builds/…), the entire
internal module tree (./src/… and
./node_modules/…), the chunk graph, and the exact
webpack version. Triggers "Webpack Stats JSON Exposed"./page-data/app-data.json —
Gatsby's per-build app data. Leaks gatsbyVersion (a direct
CVE pivot) and the webpackCompilationHash. Triggers
"Gatsby Version Disclosure"./security/js/webpack-runtime-8f2a1c9d7e3b4a6f0d2e.js.map —
the runtime chunk (….js, fetched by appending the
well-known .map suffix) advertises this source map via a
//# sourceMappingURL= comment, and the map ships full
sourcesContent, handing over the original un-minified
source — including a config module with a hard-coded internal API
base URL and deploy token. Triggers "JavaScript Source Map Exposed".The search widget below reads location.hash and writes it directly into
innerHTML. Append #<img src=x onerror=alert(1)> to the URL
to trigger it.