Vulnerability Scan Result
| Title: | Telegram: Contact @ninicky1 |
| Description: | No description found |
| IP address | 149.154.167.99 |
| Country | GB  |
| AS number | AS62041 |
| Net name | Telegram Messenger Inc |
| Software / Version | Category |
|---|---|
| Bootstrap | UI frameworks |
| Nginx 1.18.0 | Web servers, Reverse proxies |
| Open Graph | Miscellaneous |
| Paper.js | JavaScript graphics |
| HSTS | Security |
Web Application Vulnerabilities
Evidence
| Risk Level | CVSS | CVE | Summary | Affected software |
|---|---|---|---|---|
| 7.8 | CVE-2022-41741 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. | nginx 1.18.0 | |
| 7.5 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | nginx 1.18.0 | |
| 7.1 | CVE-2022-41742 | NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module. | nginx 1.18.0 | |
| 6.8 | CVE-2021-23017 | A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. | nginx 1.18.0 | |
| 5.8 | CVE-2021-3618 | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. | nginx 1.18.0 |
Vulnerability description
We noticed known vulnerabilities in the target application based on the server responses. They are usually related to outdated systems and expose the affected applications to the risk of unauthorized access to confidential data and possibly denial of service attacks. Depending on the system distribution the affected software can be patched but displays the same version, requiring manual checking.
Recommendation
In order to eliminate the risk of these vulnerabilities, we recommend you check the installed software version and upgrade to the latest version.
Classification
| CWE | CWE-1026 |
| OWASP Top 10 - 2017 | A9 - Using Components with Known Vulnerabilities |
| OWASP Top 10 - 2021 | A6 - Vulnerable and Outdated Components |
Evidence
| URL | Evidence |
|---|---|
| https://t.me/ninicky1 | Response headers do not include the X-Content-Type-Options HTTP security header |
Vulnerability description
We noticed that the target application's server responses lack the <code>X-Content-Type-Options</code> header. This header is particularly important for preventing Internet Explorer from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header.
Recommendation
We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://t.me/ninicky1 | Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response. |
Vulnerability description
We noticed that the target application's server responses lack the <code>Referrer-Policy</code> HTTP header, which controls how much referrer information the browser will send with each request originated from the current web application.
Recommendation
The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| URL | Evidence |
|---|---|
| https://t.me/ninicky1 | Response headers include the HTTP Content-Security-Policy security header with the following security issues:`default-src: The default-src directive should be set as a fall-back when other restrictions have not been specified. script-src: script-src directive is missing. frame-ancestors: This directive tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. The recommended value is 'none' or 'self'. base-uri: Missing base-uri allows the injection of base tags. They can be used to set the base URL for all relative (script) URLs to an attacker controlled domain. We recommend setting it to 'none' or 'self'. object-src: Missing object-src allows the injection of plugins which can execute JavaScript. We recommend setting it to 'none'.` |
Vulnerability description
We noticed that the Content-Security-Policy (CSP) header configured for the web application includes unsafe directives. The CSP header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS) by restricting the sources from which content can be loaded or executed.
Recommendation
Remove the unsafe values from the directives, adopt nonces or hashes for safer inclusion of inline scripts if they are needed, and explicitly define the sources from which scripts, styles, images or other resources can be loaded.
Classification
| CWE | CWE-693 |
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Evidence
| Software / Version | Category |
|---|---|
| Bootstrap | UI frameworks |
| Nginx 1.18.0 | Web servers, Reverse proxies |
| Open Graph | Miscellaneous |
| Paper.js | JavaScript graphics |
| HSTS | Security |
Vulnerability description
We noticed that server software and technology details are exposed, potentially aiding attackers in tailoring specific exploits against identified systems and versions.
Recommendation
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc.
Classification
| OWASP Top 10 - 2017 | A6 - Security Misconfiguration |
| OWASP Top 10 - 2021 | A5 - Security Misconfiguration |
Vulnerability description
Website is accessible.
Infrastructure Vulnerabilities
Evidence
| Domain Queried | DNS Record Type | Description | Value |
|---|---|---|---|
| t.me | A | IPv4 address | 149.154.167.99 |
| t.me | NS | Name server | ns-cloud-b2.googledomains.com |
| t.me | NS | Name server | ns-cloud-b3.googledomains.com |
| t.me | NS | Name server | ns-cloud-b4.googledomains.com |
| t.me | NS | Name server | ns-cloud-b1.googledomains.com |
| t.me | SOA | Start of Authority | ns-cloud-b1.googledomains.com. dns.jomax.net.t.me. 2017053102 28800 7200 604800 600 |
| t.me | AAAA | IPv6 address | 2001:67c:4e8:f004::9 |
| t.me | SPF | Sender Policy Framework | "v=spf1 -all" |
| _dmarc.t.me | TXT | Text record | "v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s" |
Recommendation
We recommend reviewing all DNS records associated with the domain and identifying and removing unused or obsolete records.