Template expressions injected into parameter 'name' were evaluated by the server. Two distinct products (49660049 and 33134261) appeared for their respective payloads, were absent from a benign baseline, and the literal payloads did not appear, confirming server-side evaluation. Engine hint: jinja2/twig/django.
Fix. Never pass user input to template rendering functions. Use template variables with auto-escaping and sandboxed template engines where dynamic template construction is needed.
payload: {{7919*6271}}, evaluated products: 49660049, 33134261 found in response
The environment secrets file at /.env is served publicly and returned HTTP 200 with plausible content, potentially leaking secrets, source, or infrastructure details.
Fix. Block access to dotfiles, VCS metadata, backups, and config from the web root. Serve only intended public assets.
Appending a quote character to this parameter produced a database error signature in the response, indicating input is concatenated into a SQL statement.
Fix. Use parameterized queries or prepared statements. Never build SQL by string concatenation and suppress verbose database errors.
A unique probe injected into this parameter was reflected into the HTML response without entity-encoding the angle brackets, which may allow script injection depending on the output context. Manual confirmation of the reflection context is recommended.
Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
A unique probe injected into this parameter was reflected into the HTML response without entity-encoding the angle brackets, which may allow script injection depending on the output context. Manual confirmation of the reflection context is recommended.
Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
A CR LF sequence injected into parameter 'lang' caused the server to emit an attacker-controlled response header ('Fya-Test: fya81044298f54c'). This enables HTTP response splitting, cache poisoning, and cookie injection.
Fix. Strip or reject CR (\r) and LF (\n) characters from any value that flows into response headers. Use framework abstractions that handle header encoding.
The response reflects an attacker-supplied Origin into Access-Control-Allow-Origin while also allowing credentials, letting a malicious site read authenticated responses.
Fix. Validate Origin against a strict server-side allowlist and never combine a wildcard or reflected origin with Access-Control-Allow-Credentials: true.
No Content-Security-Policy header was returned. CSP is the primary defense-in-depth control against cross-site scripting and data injection in the browser.
Fix. Set a Content-Security-Policy that restricts script and object sources to trusted origins.
The application reflects the HTTP Host header value into its response without validation. An attacker can poison password-reset links, cache entries, or absolute URLs by supplying a crafted Host header.
Fix. Maintain a server-side allowlist of valid hostnames. Never use the request Host header to construct absolute URLs or links.
reflected in response body; reflected in absolute link: http://fya91b909298fd2.evil.example/
A POST form targeting 'http://127.0.0.1:5099/transfer' contains no hidden input whose name matches known CSRF token field names (csrf, xsrf, _token, authenticity_token, csrfmiddlewaretoken, nonce). Without a token an attacker can forge requests on behalf of authenticated users.
Fix. Add a secret per-session CSRF token to every state-changing form and verify it server-side. Consider the SameSite=Strict cookie attribute as a defence-in-depth measure.
A05:2021 Security Misconfiguration
| confidence high | http://127.0.0.1:5099/.well-known/security.txt
No valid security.txt was found at /.well-known/security.txt or /security.txt. A security.txt file gives researchers a documented channel to report vulnerabilities.
Fix. Publish a security.txt at /.well-known/security.txt with a Contact and Policy field.