(Click on the bars or line points for details on the relevant issues.)
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website
could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page inside a frame or iframe. Sites can
use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
| Vector type | HTTP method | Action | |
|---|---|---|---|
server
|
GET
|
https://brainy-kids-frontend.vercel.app/ |
The server responded with a non 200 (OK) nor 404 (Not Found) status code. This is a non-issue, however exotic HTTP response status codes can provide useful insights into the behavior of the web application and assist with the penetration test.
HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.
The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.
When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.
One of these flags is known as the secure flag. When the secure flag is set,
the browser will prevent it from being sent over a clear text channel (HTTP) and
only allow it to be sent when an encrypted channel is used (HTTPS).
Arachni discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being send in clear text.
| Vector type | HTTP method | Action | |
|---|---|---|---|
cookie
|
GET
|
https://brainy-kids-frontend.vercel.app/ |
allowed_methods, backdoors, backup_directories, backup_files, captcha, code_injection, code_injection_php_input_wrapper, code_injection_timing, common_admin_interfaces, common_directories, common_files, cookie_set_for_parent_domain, credit_card, csrf, cvs_svn_users, directory_listing, emails, file_inclusion, form_upload, hsts, htaccess_limit, html_objects, http_only_cookies, http_put, insecure_client_access_policy, insecure_cookies, insecure_cors_policy, insecure_cross_domain_policy_access, insecure_cross_domain_policy_headers, interesting_responses, ldap_injection, localstart_asp, mixed_resource, no_sql_injection, no_sql_injection_differential, origin_spoof_access_restriction_bypass, os_cmd_injection, os_cmd_injection_timing, password_autocomplete, path_traversal, private_ip, response_splitting, rfi, session_fixation, source_code_disclosure, sql_injection, sql_injection_differential, sql_injection_timing, ssn, trainer, unencrypted_password_forms, unvalidated_redirect, unvalidated_redirect_dom, webdav, x_frame_options, xpath_injection, xss, xss_dom, xss_dom_script_context, xss_event, xss_path, xss_script_context, xss_tag, xst, xxe
"parameter_values"
|
true
|
|---|---|
"exclude_vector_patterns"
|
[]
|
"include_vector_patterns"
|
[]
|
"link_templates"
|
[]
|
"links"
|
true
|
"forms"
|
true
|
"cookies"
|
true
|
"ui_inputs"
|
true
|
"ui_forms"
|
true
|
"jsons"
|
true
|
"xmls"
|
true
|
"local_storage"
|
{}
|
|---|---|
"wait_for_elements"
|
{}
|
"pool_size"
|
6
|
"job_timeout"
|
25
|
"worker_time_to_live"
|
100
|
"ignore_images"
|
false
|
"screen_width"
|
1600
|
"screen_height"
|
1200
|
"values"
|
{}
|
||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
"default_values"
|
|
||||||||||||||||||||
"without_defaults"
|
false
|
||||||||||||||||||||
"force"
|
false
|
"user_agent"
|
"Arachni/v1.4"
|
|---|---|
"request_timeout"
|
10000
|
"request_redirect_limit"
|
5
|
"request_concurrency"
|
20
|
"request_queue_size"
|
100
|
"request_headers"
|
{}
|
"response_max_size"
|
500000
|
"cookies"
|
{}
|
"report_path"
|
"/tmp/scan.afr"
|
|---|
"redundant_path_patterns"
|
{}
|
|---|---|
"dom_depth_limit"
|
5
|
"exclude_file_extensions"
|
[]
|
"exclude_path_patterns"
|
[]
|
"exclude_content_patterns"
|
[]
|
"include_path_patterns"
|
[]
|
"restrict_paths"
|
[]
|
"extend_paths"
|
[]
|
"url_rewrites"
|
{}
|
At the time these issues were logged there were no abnormal
interferences or anomalous server behavior.
These issues are considered trusted and accurate.
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website
could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page inside a frame or iframe. Sites can
use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Configure your web server to include an X-Frame-Options header.
server
using
GET
at
https://brainy-kids-frontend.vercel.app/
pointing to
https://brainy-kids-frontend.vercel.app/
.
| Type | In | Action |
|---|---|---|
server |
https://brainy-kids-frontend.vercel.app/ | https://brainy-kids-frontend.vercel.app/ |
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
The server responded with a non 200 (OK) nor 404 (Not Found) status code. This is a non-issue, however exotic HTTP response status codes can provide useful insights into the behavior of the web application and assist with the penetration test.
server
using
GET
at
https://brainy-kids-frontend.vercel.app/localstart.asp
pointing to
https://brainy-kids-frontend.vercel.app/localstart.asp
.
Raw HTTP request used to retrieve the page.
GET /localstart.asp HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:14 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Flocalstart.asp&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::hsmnp-1750327814081-1e3b8bb23918
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Flocalstart.asp&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/1971c33861a71e30b3ab3c9d3032405e
pointing to
https://brainy-kids-frontend.vercel.app/1971c33861a71e30b3ab3c9d3032405e
.
Raw HTTP request used to retrieve the page.
GET /1971c33861a71e30b3ab3c9d3032405e HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:14 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F1971c33861a71e30b3ab3c9d3032405e&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::6h66d-1750327814050-320a8fcf79d4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F1971c33861a71e30b3ab3c9d3032405e&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/clientaccesspolicy.xml
pointing to
https://brainy-kids-frontend.vercel.app/clientaccesspolicy.xml
.
Raw HTTP request used to retrieve the page.
GET /clientaccesspolicy.xml HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:14 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Fclientaccesspolicy.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::sqbp4-1750327814047-23f6a13cedd5
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Fclientaccesspolicy.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
PUT
at
https://brainy-kids-frontend.vercel.app/Arachni-1971c33861a71e30b3ab3c9d3032405e
pointing to
https://brainy-kids-frontend.vercel.app/Arachni-1971c33861a71e30b3ab3c9d3032405e
.
Raw HTTP request used to retrieve the page.
PUT /Arachni-1971c33861a71e30b3ab3c9d3032405e HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1 Content-Length: 55 Expect: 100-continue Created by Arachni. PUT1971c33861a71e30b3ab3c9d3032405e
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 100 Continue
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:14 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2FArachni-1971c33861a71e30b3ab3c9d3032405e&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::6mbqw-1750327814038-00a7764eca9f
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252FArachni-1971c33861a71e30b3ab3c9d3032405e&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect Cache-Control: no-store Content-Type: text/html Date: Thu, 19 Jun 2025 10:10:12 GMT Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing Server: Vercel Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Clerk-Auth-Reason: dev-browser-missing X-Clerk-Auth-Status: handshake X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2 Transfer-Encoding: chunked <!doctype html> <!-- https://vercel.app --> <h1>Redirecting (307)</h1> The document has moved <a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/crossdomain.xml
pointing to
https://brainy-kids-frontend.vercel.app/crossdomain.xml
.
Raw HTTP request used to retrieve the page.
GET /crossdomain.xml HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:14 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Fcrossdomain.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::6h66d-1750327814017-5a496cb5ea7f
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Fcrossdomain.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
pointing to
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
.
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
Raw HTTP request used to retrieve the page.
GET /%3E%22'%3E%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:13 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F%253E%2522'%253E%253Cmy_tag_1971c33861a71e30b3ab3c9d3032405e%2F%253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::wvgx9-1750327813833-26162f9869bd
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F%25253E%252522'%25253E%25253Cmy_tag_1971c33861a71e30b3ab3c9d3032405e%252F%25253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
pointing to
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
.
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E
Raw HTTP request used to retrieve the page.
GET /%3Cmy_tag_1971c33861a71e30b3ab3c9d3032405e/%3E HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:13 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F%253Cmy_tag_1971c33861a71e30b3ab3c9d3032405e%2F%253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::pxc6z-1750327813766-7e1b91085faa
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F%25253Cmy_tag_1971c33861a71e30b3ab3c9d3032405e%252F%25253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/
pointing to
https://brainy-kids-frontend.vercel.app/
.
| Type | In | Action |
|---|---|---|
server |
https://brainy-kids-frontend.vercel.app/ | https://brainy-kids-frontend.vercel.app/ |
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=%0D%0AX-CRLF-Safe-1971c33861a71e30b3ab3c9d3032405e:+no
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::2xj4v-1750327812272-2b05626df097
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Thu, 19 Jun 2025 10:10:12 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: sfo1::gndjm-1750327811420-d087c6a4f2a2
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.
The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.
When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.
One of these flags is known as the secure flag. When the secure flag is set,
the browser will prevent it from being sent over a clear text channel (HTTP) and
only allow it to be sent when an encrypted channel is used (HTTPS).
Arachni discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being send in clear text.
The initial steps to remedy this should be determined on whether the cookie is
sensitive in nature.
If the cookie does not contain any sensitive information then the risk of this
vulnerability is reduced; however, if the cookie does contain sensitive
information, then the server should ensure that the cookie has its secure flag set.
Generates a simple list of safe/unsafe URLs.
| HTTP status code | URL |
|---|---|
| 307 | https://brainy-kids-frontend.vercel.app/ |