(Click on the bars or line points for details on the relevant issues.)
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website
could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page inside a frame or iframe. Sites can
use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
| Vector type | HTTP method | Action | |
|---|---|---|---|
server
|
GET
|
https://brainy-kids-frontend.vercel.app/ |
The server responded with a non 200 (OK) nor 404 (Not Found) status code. This is a non-issue, however exotic HTTP response status codes can provide useful insights into the behavior of the web application and assist with the penetration test.
HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.
The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.
When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.
One of these flags is known as the secure flag. When the secure flag is set,
the browser will prevent it from being sent over a clear text channel (HTTP) and
only allow it to be sent when an encrypted channel is used (HTTPS).
Arachni discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being send in clear text.
| Vector type | HTTP method | Action | |
|---|---|---|---|
cookie
|
GET
|
https://brainy-kids-frontend.vercel.app/ |
allowed_methods, backdoors, backup_directories, backup_files, captcha, code_injection, code_injection_php_input_wrapper, code_injection_timing, common_admin_interfaces, common_directories, common_files, cookie_set_for_parent_domain, credit_card, csrf, cvs_svn_users, directory_listing, emails, file_inclusion, form_upload, hsts, htaccess_limit, html_objects, http_only_cookies, http_put, insecure_client_access_policy, insecure_cookies, insecure_cors_policy, insecure_cross_domain_policy_access, insecure_cross_domain_policy_headers, interesting_responses, ldap_injection, localstart_asp, mixed_resource, no_sql_injection, no_sql_injection_differential, origin_spoof_access_restriction_bypass, os_cmd_injection, os_cmd_injection_timing, password_autocomplete, path_traversal, private_ip, response_splitting, rfi, session_fixation, source_code_disclosure, sql_injection, sql_injection_differential, sql_injection_timing, ssn, trainer, unencrypted_password_forms, unvalidated_redirect, unvalidated_redirect_dom, webdav, x_frame_options, xpath_injection, xss, xss_dom, xss_dom_script_context, xss_event, xss_path, xss_script_context, xss_tag, xst, xxe
"parameter_values"
|
true
|
|---|---|
"exclude_vector_patterns"
|
[]
|
"include_vector_patterns"
|
[]
|
"link_templates"
|
[]
|
"links"
|
true
|
"forms"
|
true
|
"cookies"
|
true
|
"ui_inputs"
|
true
|
"ui_forms"
|
true
|
"jsons"
|
true
|
"xmls"
|
true
|
"values"
|
{}
|
||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
"default_values"
|
|
||||||||||||||||||||
"without_defaults"
|
false
|
||||||||||||||||||||
"force"
|
false
|
"redundant_path_patterns"
|
{}
|
|---|---|
"dom_depth_limit"
|
5
|
"exclude_file_extensions"
|
[]
|
"exclude_path_patterns"
|
[]
|
"exclude_content_patterns"
|
[]
|
"include_path_patterns"
|
[]
|
"restrict_paths"
|
[]
|
"extend_paths"
|
[]
|
"url_rewrites"
|
{}
|
"report_path"
|
"/tmp/scan.afr"
|
|---|
"local_storage"
|
{}
|
|---|---|
"wait_for_elements"
|
{}
|
"pool_size"
|
6
|
"job_timeout"
|
25
|
"worker_time_to_live"
|
100
|
"ignore_images"
|
false
|
"screen_width"
|
1600
|
"screen_height"
|
1200
|
"user_agent"
|
"Arachni/v1.4"
|
|---|---|
"request_timeout"
|
10000
|
"request_redirect_limit"
|
5
|
"request_concurrency"
|
20
|
"request_queue_size"
|
100
|
"request_headers"
|
{}
|
"response_max_size"
|
500000
|
"cookies"
|
{}
|
At the time these issues were logged there were no abnormal
interferences or anomalous server behavior.
These issues are considered trusted and accurate.
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website
could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page inside a frame or iframe. Sites can
use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Configure your web server to include an X-Frame-Options header.
server
using
GET
at
https://brainy-kids-frontend.vercel.app/
pointing to
https://brainy-kids-frontend.vercel.app/
.
| Type | In | Action |
|---|---|---|
server |
https://brainy-kids-frontend.vercel.app/ | https://brainy-kids-frontend.vercel.app/ |
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
The server responded with a non 200 (OK) nor 404 (Not Found) status code. This is a non-issue, however exotic HTTP response status codes can provide useful insights into the behavior of the web application and assist with the penetration test.
server
using
GET
at
https://brainy-kids-frontend.vercel.app/localstart.asp
pointing to
https://brainy-kids-frontend.vercel.app/localstart.asp
.
Raw HTTP request used to retrieve the page.
GET /localstart.asp HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:28 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Flocalstart.asp&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::t8qd2-1751603548195-a61a50c7ac17
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Flocalstart.asp&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
pointing to
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
.
https://brainy-kids-frontend.vercel.app/%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
Raw HTTP request used to retrieve the page.
GET /%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:28 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F%253Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1%2F%253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::zhj5q-1751603548138-c29afe9a094d
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F%25253Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1%252F%25253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
pointing to
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
.
https://brainy-kids-frontend.vercel.app/%3E%22'%3E%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E
Raw HTTP request used to retrieve the page.
GET /%3E%22'%3E%3Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1/%3E HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:28 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F%253E%2522'%253E%253Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1%2F%253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::s2fdq-1751603548152-5070c5fa5b28
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F%25253E%252522'%25253E%25253Cmy_tag_dedbbdb421e6bcb47f57bb26b86ee3e1%252F%25253E&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
PUT
at
https://brainy-kids-frontend.vercel.app/Arachni-dedbbdb421e6bcb47f57bb26b86ee3e1
pointing to
https://brainy-kids-frontend.vercel.app/Arachni-dedbbdb421e6bcb47f57bb26b86ee3e1
.
Raw HTTP request used to retrieve the page.
PUT /Arachni-dedbbdb421e6bcb47f57bb26b86ee3e1 HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1 Content-Length: 55 Expect: 100-continue Created by Arachni. PUTdedbbdb421e6bcb47f57bb26b86ee3e1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 100 Continue
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:27 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2FArachni-dedbbdb421e6bcb47f57bb26b86ee3e1&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::ph9mc-1751603546303-b9223084920e
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252FArachni-dedbbdb421e6bcb47f57bb26b86ee3e1&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect Cache-Control: no-store Content-Type: text/html Date: Fri, 04 Jul 2025 04:32:26 GMT Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing Server: Vercel Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Clerk-Auth-Reason: dev-browser-missing X-Clerk-Auth-Status: handshake X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4 Transfer-Encoding: chunked <!doctype html> <!-- https://vercel.app --> <h1>Redirecting (307)</h1> The document has moved <a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/clientaccesspolicy.xml
pointing to
https://brainy-kids-frontend.vercel.app/clientaccesspolicy.xml
.
Raw HTTP request used to retrieve the page.
GET /clientaccesspolicy.xml HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:27 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Fclientaccesspolicy.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::hzmpw-1751603546303-dcc03d55eaeb
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Fclientaccesspolicy.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
TRACE
at
https://brainy-kids-frontend.vercel.app/
pointing to
https://brainy-kids-frontend.vercel.app/
.
| Type | In | Action |
|---|---|---|
server |
https://brainy-kids-frontend.vercel.app/ | https://brainy-kids-frontend.vercel.app/ |
Raw HTTP request used to retrieve the page.
TRACE / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 405 Method Not Allowed
Cache-Control: public, max-age=0, must-revalidate
Content-Length: 3545
Content-Type: text/html; charset=utf-8
Date: Fri, 04 Jul 2025 04:32:26 GMT
Server: Vercel
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Vercel-Error: NOT_ALLOWED
X-Vercel-Id: iad1::
<!doctype html><html lang=en><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=theme-color content=#000><title>405: NOT_ALLOWED</title><style>html{font-size:62.5%;box-sizing:border-box;height:-webkit-fill-available}*,::after,::before{box-sizing:inherit}body{font-family:sf pro text,sf pro icons,helvetica neue,helvetica,arial,sans-serif;font-size:1.6rem;line-height:1.65;word-break:break-word;font-kerning:auto;font-variant:normal;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;text-rendering:optimizeLegibility;hyphens:auto;height:100vh;height:-webkit-fill-available;max-height:100vh;max-height:-webkit-fill-available;margin:0}::selection{background:#79ffe1}::-moz-selection{background:#79ffe1}a{cursor:pointer;color:#0070f3;text-decoration:none;transition:all .2s ease;border-bottom:1px solid #0000}a:hover{border-bottom:1px solid #0070f3}ul{padding:0;margin-left:1.5em;list-style-type:none}li{margin-bottom:10px}ul li:before{content:'\02013'}li:before{display:inline-block;color:#ccc;position:absolute;margin-left:-18px;transition:color .2s ease}code{font-family:Menlo,Monaco,Lucida Console,Liberation Mono,DejaVu Sans Mono,Bitstream Vera Sans Mono,Courier New,monospace,serif;font-size:.92em}code:after,code:before{content:'`'}.container{display:flex;justify-content:center;flex-direction:column;min-height:100%}main{max-width:80rem;padding:4rem 6rem;margin:auto}ul{margin-bottom:32px}.error-title{font-size:2rem;padding-left:22px;line-height:1.5;margin-bottom:24px}.error-title-guilty{border-left:2px solid #ed367f}.error-title-innocent{border-left:2px solid #59b89c}@media(max-width:500px){.owner-error{display:none}}main p{color:#333}.devinfo-container{border:1px solid #ddd;border-radius:4px;padding:2rem;display:flex;flex-direction:column;margin-bottom:32px}.error-code{margin:0;font-size:1.6rem;color:#000;margin-bottom:1.6rem}.devinfo-line{color:#333}.devinfo-line code,code,li{color:#000}.devinfo-line:not(:last-child){margin-bottom:8px}.docs-link,.contact-link{font-weight:500}header,footer,footer a{display:flex;justify-content:center;align-items:center}header,footer{min-height:100px;height:100px}header{border-bottom:1px solid #eaeaea}header h1{font-size:1.8rem;margin:0;font-weight:500}header p{font-size:1.3rem;margin:0;font-weight:500}.header-item{display:flex;padding:0 2rem;margin:2rem 0;text-decoration:line-through;color:#999}.header-item.active{color:#ff0080;text-decoration:none}.header-item.first{border-right:1px solid #eaeaea}.header-item-content{display:flex;flex-direction:column}.header-item-icon{margin-right:1rem;margin-top:.6rem}footer{border-top:1px solid #eaeaea}footer a{color:#000}footer a:hover{border-bottom-color:#0000}footer svg{margin-left:.8rem}.note{padding:8pt 16pt;border-radius:5px;border:1px solid #0070f3;font-size:14px;line-height:1.8;color:#0070f3}@media(max-width:500px){.devinfo-container .devinfo-line code{margin-top:.4rem}.devinfo-container .devinfo-line:not(:last-child){margin-bottom:1.6rem}.devinfo-container{margin-bottom:0}header{flex-direction:column;height:auto;min-height:auto;align-items:flex-start}.header-item.first{border-right:none;margin-bottom:0}main{padding:1rem 2rem}body{font-size:1.4rem;line-height:1.55}footer{display:none}.note{margin-top:16px}}</style><div class=container><main><p class=devinfo-container><span class=error-code><strong>405</strong>: NOT_ALLOWED</span>
<span class=devinfo-line>Code: <code>NOT_ALLOWED</code></span>
<span class=devinfo-line>ID: <code>iad1::</code></p></main></div>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect Cache-Control: no-store Content-Type: text/html Date: Fri, 04 Jul 2025 04:32:26 GMT Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing Server: Vercel Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Clerk-Auth-Reason: dev-browser-missing X-Clerk-Auth-Status: handshake X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4 Transfer-Encoding: chunked <!doctype html> <!-- https://vercel.app --> <h1>Redirecting (307)</h1> The document has moved <a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/dedbbdb421e6bcb47f57bb26b86ee3e1
pointing to
https://brainy-kids-frontend.vercel.app/dedbbdb421e6bcb47f57bb26b86ee3e1
.
Raw HTTP request used to retrieve the page.
GET /dedbbdb421e6bcb47f57bb26b86ee3e1 HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Fdedbbdb421e6bcb47f57bb26b86ee3e1&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::6xcpj-1751603546222-abf6f5bcc964
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Fdedbbdb421e6bcb47f57bb26b86ee3e1&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
server
using
GET
at
https://brainy-kids-frontend.vercel.app/crossdomain.xml
pointing to
https://brainy-kids-frontend.vercel.app/crossdomain.xml
.
Raw HTTP request used to retrieve the page.
GET /crossdomain.xml HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6 Cookie: __clerk_redirect_count=1
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2Fcrossdomain.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::c7v94-1751603546222-9378f2067d7f
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252Fcrossdomain.xml&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
Raw HTTP request used to retrieve the page.
GET / HTTP/1.1 Host: brainy-kids-frontend.vercel.app Accept-Encoding: gzip, deflate User-Agent: Arachni/v1.4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,he;q=0.6
Raw HTTP response used as the page basis. (Binary bodies will not be displayed.)
HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html
Date: Fri, 04 Jul 2025 04:32:26 GMT
Location: https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%3A%2F%2Fbrainy-kids-frontend.vercel.app%2F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing
Server: Vercel
Set-Cookie: __clerk_redirect_count=1; SameSite=Lax; HttpOnly; Max-Age=3
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Clerk-Auth-Reason: dev-browser-missing
X-Clerk-Auth-Status: handshake
X-Vercel-Id: iad1::x7klq-1751603545363-e97568b0b2a4
Transfer-Encoding: chunked
<!doctype html>
<!-- https://vercel.app -->
<h1>Redirecting (307)</h1>
The document has moved
<a href="https://allowing-cub-55.clerk.accounts.dev/v1/client/handshake?redirect_url=https%253A%252F%252Fbrainy-kids-frontend.vercel.app%252F&__clerk_api_version=2025-04-10&suffixed_cookies=false&__clerk_hs_reason=dev-browser-missing">here</a>
HTTP by itself is a stateless protocol. Therefore the server is unable to determine which requests are performed by which client, and which clients are authenticated or unauthenticated.
The use of HTTP cookies within the headers, allows a web server to identify each individual client and can therefore determine which clients hold valid authentication, from those that do not. These are known as session cookies.
When a cookie is set by the server (sent the header of an HTTP response) there are several flags that can be set to configure the properties of the cookie and how it is to be handled by the browser.
One of these flags is known as the secure flag. When the secure flag is set,
the browser will prevent it from being sent over a clear text channel (HTTP) and
only allow it to be sent when an encrypted channel is used (HTTPS).
Arachni discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being send in clear text.
The initial steps to remedy this should be determined on whether the cookie is
sensitive in nature.
If the cookie does not contain any sensitive information then the risk of this
vulnerability is reduced; however, if the cookie does contain sensitive
information, then the server should ensure that the cookie has its secure flag set.
Generates a simple list of safe/unsafe URLs.
| HTTP status code | URL |
|---|---|
| 307 | https://brainy-kids-frontend.vercel.app/ |