fya scan report

http://127.0.0.1:5099 | kind web | profile aggressive | 6.5s | 24 checks
7 high5 medium3 low1 info
high

Server-Side Template Injection via parameter 'name'

A03:2021 Injection | CWE CWE-1336 | confidence high | http://127.0.0.1:5099/greet?name=world [param: name]

A template expression injected into parameter 'name' was evaluated by the server. The product 49660049 appeared in the response but the literal payload did not, confirming server-side evaluation. Engine hint: jinja2/twig/django.

Fix. Never pass user input to template rendering functions. Use template variables with auto-escaping and sandboxed template engines where dynamic template construction is needed.
payload: {{7919*6271}}, evaluated product: 49660049 found in response
high

Sensitive file exposed: /.env

A05:2021 Security Misconfiguration | CWE CWE-538 | confidence medium | http://127.0.0.1:5099/.env

The environment secrets file at /.env is served publicly and returned HTTP 200 with plausible content, potentially leaking secrets, source, or infrastructure details.

Fix. Block access to dotfiles, VCS metadata, backups, and config from the web root. Serve only intended public assets.
HTTP 200, 44 bytes, content-type: text/plain; charset=utf-8
high

SQL injection via parameter 'id'

A03:2021 Injection | CWE CWE-89 | confidence medium | http://127.0.0.1:5099/user?id=1 [param: id]

Appending a quote character to this parameter produced a database error signature in the response, indicating input is concatenated into a SQL statement.

Fix. Use parameterized queries or prepared statements. Never build SQL by string concatenation and suppress verbose database errors.
error signature: unrecognized token
high

Reflected XSS via parameter 'q'

A03:2021 Injection | CWE CWE-79 | confidence high | http://127.0.0.1:5099/search?q=phone [param: q]

A unique probe injected into this parameter was reflected in the HTML response without encoding, so attacker-controlled markup executes in the victim browser.

Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
reflected unescaped: <fya>fya1da20be8c5cd</fya>
high

Reflected XSS via parameter 'name'

A03:2021 Injection | CWE CWE-79 | confidence high | http://127.0.0.1:5099/greet?name=world [param: name]

A unique probe injected into this parameter was reflected in the HTML response without encoding, so attacker-controlled markup executes in the victim browser.

Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
reflected unescaped: <fya>fya1c5e70799ba3</fya>
high

CRLF injection via parameter 'lang'

A03:2021 Injection | CWE CWE-93 | confidence high | http://127.0.0.1:5099/setheader?lang=en [param: lang]

A CR LF sequence injected into parameter 'lang' caused the server to emit an attacker-controlled response header ('Fya-Test: fya3341886fa529'). This enables HTTP response splitting, cache poisoning, and cookie injection.

Fix. Strip or reject CR (\r) and LF (\n) characters from any value that flows into response headers. Use framework abstractions that handle header encoding.
injected header Fya-Test: fya3341886fa529
high

CORS reflects arbitrary origin with credentials

A05:2021 Security Misconfiguration | CWE CWE-942 | confidence high | http://127.0.0.1:5099/cors

The response reflects an attacker-supplied Origin into Access-Control-Allow-Origin while also allowing credentials, letting a malicious site read authenticated responses.

Fix. Validate Origin against a strict server-side allowlist and never combine a wildcard or reflected origin with Access-Control-Allow-Credentials: true.
Access-Control-Allow-Origin: https://evil.example; Access-Control-Allow-Credentials: true
medium

Open redirect via parameter 'url'

A01:2021 Broken Access Control | CWE CWE-601 | confidence high | http://127.0.0.1:5099/go?url=/ [param: url]

This parameter controls the redirect target without validation, so an attacker can send victims to an arbitrary external site for phishing.

Fix. Redirect only to a server-side allowlist of paths or hosts. Reject absolute external URLs supplied by the client.
Location: https://fya-oob.example/fya007a8793a84e
medium

Missing Content-Security-Policy header

A05:2021 Security Misconfiguration | CWE CWE-693 | confidence high | http://127.0.0.1:5099

No Content-Security-Policy header was returned. CSP is the primary defense-in-depth control against cross-site scripting and data injection in the browser.

Fix. Set a Content-Security-Policy that restricts script and object sources to trusted origins.
response headers: ['connection', 'content-length', 'content-type', 'date', 'server', 'set-cookie']
medium

Host header injection: spoofed Host reflected in response

A05:2021 Security Misconfiguration | CWE CWE-644 | confidence medium | http://127.0.0.1:5099/link

The application reflects the HTTP Host header value into its response without validation. An attacker can poison password-reset links, cache entries, or absolute URLs by supplying a crafted Host header.

Fix. Maintain a server-side allowlist of valid hostnames. Never use the request Host header to construct absolute URLs or links.
reflected in response body; reflected in absolute link: http://fyaa18d9c9f2894.evil.example/
medium

Cookie 'session' missing flags: HttpOnly, SameSite

A05:2021 Security Misconfiguration | CWE CWE-614 | confidence high | http://127.0.0.1:5099

The cookie 'session' is set without the HttpOnly, SameSite attribute(s), weakening protection against theft and cross-site request forgery.

Fix. Set Secure, HttpOnly, and SameSite on session and auth cookies.
Set-Cookie: session=...
medium

CSRF: POST form at 'http://127.0.0.1:5099/transfer' has no CSRF token

A01:2021 Broken Access Control | CWE CWE-352 | confidence medium | http://127.0.0.1:5099/transfer

A POST form targeting 'http://127.0.0.1:5099/transfer' contains no hidden input whose name matches known CSRF token field names (csrf, xsrf, _token, authenticity_token, csrfmiddlewaretoken, nonce). Without a token an attacker can forge requests on behalf of authenticated users.

Fix. Add a secret per-session CSRF token to every state-changing form and verify it server-side. Consider the SameSite=Strict cookie attribute as a defence-in-depth measure.
form inputs found: amount
low

Version disclosed in server header

A05:2021 Security Misconfiguration | CWE CWE-200 | confidence high | http://127.0.0.1:5099

The server header reveals software and version (Werkzeug/3.1.8 Python/3.12.10), which helps an attacker match the target to known CVEs.

Fix. Suppress or genericize the server header at the server or proxy.
server: Werkzeug/3.1.8 Python/3.12.10
low

Missing clickjacking protection

A05:2021 Security Misconfiguration | CWE CWE-1021 | confidence high | http://127.0.0.1:5099

Neither X-Frame-Options nor a CSP frame-ancestors directive was found, so the page can be framed by other origins and is exposed to clickjacking.

Fix. Set X-Frame-Options: DENY or a CSP frame-ancestors 'none' directive.
response headers: ['connection', 'content-length', 'content-type', 'date', 'server', 'set-cookie']
low

Missing X-Content-Type-Options header

A05:2021 Security Misconfiguration | CWE CWE-693 | confidence high | http://127.0.0.1:5099

Responses do not send X-Content-Type-Options: nosniff, allowing browsers to MIME-sniff content and interpret responses as an unintended type.

Fix. Add X-Content-Type-Options: nosniff to all responses.
response headers: ['connection', 'content-length', 'content-type', 'date', 'server', 'set-cookie']
info

Missing Referrer-Policy header

A05:2021 Security Misconfiguration | CWE CWE-200 | confidence high | http://127.0.0.1:5099

No Referrer-Policy header was returned; full URLs may leak to third parties via the Referer header.

Fix. Set Referrer-Policy: no-referrer-when-downgrade or stricter.
response headers: ['connection', 'content-length', 'content-type', 'date', 'server', 'set-cookie']