passhe-zap-report-2024-11-15

Generated with ZAP on Fri 15 Nov 2024, at 10:12:38

ZAP Version: 2.14.0

ZAP is supported by the Crash Override Open Source Fellowship

Contents

About this report

Report parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

  • https://pagearup.oudeve.com

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed High Medium Low Total
Risk High 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Medium 0
(0.0%)		 1
(12.5%)		 2
(25.0%)		 0
(0.0%)		 3
(37.5%)
Low 0
(0.0%)		 1
(12.5%)		 2
(25.0%)		 0
(0.0%)		 3
(37.5%)
Informational 0
(0.0%)		 0
(0.0%)		 1
(12.5%)		 1
(12.5%)		 2
(25.0%)
Total 0
(0.0%)		 2
(25.0%)		 5
(62.5%)		 1
(12.5%)		 8
(100%)

Alert counts by site and risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
High
(= High) 		Medium
(>= Medium) 		Low
(>= Low) 		Informational
(>= Informational)
Site https://pagearup.oudeve.com 0
(0)		 3
(3)		 3
(6)		 2
(8)

Alert counts by alert type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
Content Security Policy (CSP) Header Not Set Medium 12
(150.0%)
Cross-Domain Misconfiguration Medium 25
(312.5%)
Multiple X-Frame-Options Header Entries Medium 9
(112.5%)
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Low 11
(137.5%)
Strict-Transport-Security Header Not Set Low 26
(325.0%)
X-Content-Type-Options Header Missing Low 23
(287.5%)
Re-examine Cache-control Directives Informational 10
(125.0%)
User Agent Fuzzer Informational 12
(150.0%)
Total 8

Alerts

  1. Risk=Medium, Confidence=High (1)

    1. https://pagearup.oudeve.com (1)

      1. Content Security Policy (CSP) Header Not Set (1)
        1. GET https://pagearup.oudeve.com/sitemap.xml
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Request
          Request line and header section (251 bytes) 
          GET https://pagearup.oudeve.com/sitemap.xml HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (174 bytes) 
          HTTP/1.1 404 Not Found
Date: Fri, 15 Nov 2024 15:07:17 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Content-Length: 209
Content-Type: text/html; charset=iso-8859-1
          Response body (209 bytes) 
          <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sitemap.xml was not found on this server.</p>
</body></html>
          Solution

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

  2. Risk=Medium, Confidence=Medium (2)

    1. https://pagearup.oudeve.com (2)

      1. Cross-Domain Misconfiguration (1)
        1. GET https://pagearup.oudeve.com/index.html
          Alert tags
          Alert description

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
          Other info

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
          Request
          Request line and header section (309 bytes) 
          GET https://pagearup.oudeve.com/index.html HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
referer: https://pagearup.oudeve.com/_showcase/index.html
          Request body (0 bytes)
          Response
          Status line and header section (282 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:18 GMT
Server: Apache
X-Powered-By: PHP/7.4.32
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=UTF-8
content-length: 0
          Response body (0 bytes)
          Evidence 
          Access-Control-Allow-Origin: *
          Solution

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
      2. Multiple X-Frame-Options Header Entries (1)
        1. GET https://pagearup.oudeve.com/_showcase/index.html
          Alert tags
          Alert description

          X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.
          Request
          Request line and header section (260 bytes) 
          GET https://pagearup.oudeve.com/_showcase/index.html HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (285 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:17 GMT
Server: Apache
X-Powered-By: PHP/7.4.32
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=UTF-8
content-length: 8312
          Response body (8312 bytes) 
          <!DOCTYPE HTML><html lang="en">
   <head>
      <meta charset="UTF-8">
      <meta http-equiv="x-ua-compatible" content="ie=edge">
      <title>Index</title>
      <link rel="canonical" href="https://pagearup.oudeve.com/_showcase/index.html">
      <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
      
<!-- this is the headcode include -->
<link rel="stylesheet" href="/_resources/css/psgu.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">

<link rel="stylesheet" href="/_resources/css/oustyles.css" /></head>
   <body translate="no"><div class="hdr-btm-brdr">
   <div id="header-wrapper">
      <header class="header"><a href="/index.html">
            <div id="hdr-psgu-logo_wht-stroked"></div></a><div class="topnavbar" id="mobilenav" style="margin-left:90px;">
            <ul>
               <li><a href="/_showcase/index.html">Home</a></li>
               <li><a href="/_showcase/about-us.html">About Us</a></li>
               <li><a href="/_showcase/design.html">Design</a></li>
               <li><a href="/_showcase/activities.html">Activities</a></li>
               <li><a href="/_showcase/districts.html">Districts</a></li>
               <li><a href="/_showcase/partners.html">Partners</a></li>
               <li><a href="/_showcase/successes.html">Successes</a></li>
               <li><a href="/_showcase/resources.html">Resources</a></li>
            </ul><button class="menu-toggle" id="menu-toggle"><span></span></button></div>
      </header>
   </div>
</div>      		
      		
      <div class="content-canvas">
         
         			
         <div id="mission-statement">
            				
            <h2 style="color:#001641;font:600 20px/30px montserrat,arial,sans-serif;">The vision of PA State GEAR UP is equitable <span style="color:#228d58;">College Access and Success</span> for students which aims to increase enrollment and first-year to second-year persistence
               in postsecondary education.</h2>
            			</div>
         
         			
         <div class="content-row">
            				
            <div class="content-row_leftbox" style="padding-top:30px;">
               					
               <h1>What is GEAR UP?</h1>
               
               					
               <h2>
                  						<span class="init-bold">GEAR UP</span> stands for<br>
                  						<span style="display:inline-block;margin:16px 0 0 40px;">
                     							<span class="init-bold">G</span>aining<br>
                     							<span class="init-bold">E</span>arly<br>
                     							<span class="init-bold">A</span>wareness and<br>
                     							<span class="init-bold">R</span>eadiness for<br>
                     							<span class="init-bold">U</span>ndergraduate<br>
                     							<span class="init-bold">P</span>rograms.
                     						</span>
                  					</h2>
               					
               <p>It is a federal grant program funded by the <b style="font-weight:600!important;">U.S. Department of Education</b> to support students and families. The Pennsylvania State GEAR UP grant was awarded
                  to <em>Shippensburg University</em> on behalf of the Pennsylvania State System of Higher Education.</p>
               				</div>
            
            				
            <div class="photo-overlay"></div>
            			</div>
         			<!-- end .content-row -->
         
         			
         <div class="content-row" style="display:flex;flex-direction:row;padding:0!important;">
            
            				
            <div class="home-photo-bkg-box"></div>
            
            				
            <div class="content-row_rtbox" style="padding:35px 70px 30px 70px;min-height:444px!important;padding-top:35px!important;">
               					
               <h1>Why have GEAR UP?</h1>
               
               					
               <h2>To help students <span style="font-weight:700;">Reach for the Future!</span></h2>
               
               					
               <p>GEAR UP’s goal is to raise expectations to increase student high school graduation
                  rates and enrollment in college.</p>
               
               					
               <p><strong>College is possible for all students, including you!</strong></p>
               				</div>
            			</div>
         			<!-- end .content-row -->
         
         			
         <div class="content-row-one-across">
            				
            <div style="padding-top:6px;margin-top:60px;border-top:3px solid #d4d4d4;height:2px;">&nbsp;</div>
            				
            <h4 class="grnbox-intro" style="font-size:200%;line-height:100%;color:#001641;text-align:center;margin:30px 0;">Learn more about <span style="font-weight:700;">PA STATE GEARUP</span></h4>
            				
            <div class="green-row" style="margin-bottom:30px;">
               					
               <div class="vid-leftbox">
                  						
                  <h2 class="grnbox">For Students</h2>
                  						
                  <div style="position:relative!important;overflow:hidden!important;width:95%!important;padding-top:56.25%!important;margin:0 auto;"> 
                     							<iframe src="https://www.youtube.com/embed/-u83AF49nv0" title="YouTube video player" frameborder="0" style="position:absolute!important;top:0px!important;left:0px!important;bottom:0;right:0;width:100%!important;height:100%!important;object-fit:contain!important;">
                        							</iframe>
                     						</div>
                  					</div>
               					
               <div class="vid-rtbox">
                  						
                  <h2 class="grnbox">For Families, Educators, and Partners</h2>
                  						
                  <div style="position:relative!important;overflow:hidden!important;width:95%!important;padding-top:56.25%!important;margin:0 auto;">
                     							<iframe src="https://www.youtube.com/embed/lJIFclaTSQQ" title="YouTube video player" frameborder="0" style="position:absolute!important;top:0px!important;left:0px!important;bottom:0;right:0;width:100%!important;height:100%!important;object-fit:contain!important;">
                        							</iframe>
                     						</div>
                  					</div>
               				</div>
            				<!-- end .content-row -->
            			</div>
         			<!-- end .content-row-one-across -->
         		</div>
      	<div class="ftr-top-brdr">
   <div id="footer-wrapper">
      <footer class="footer"><a href="/index.html">
            <div id="ftr-passhe-logo_horiz_white-type"></div></a><ul class="ftr-links">
            <li><a href="/_showcase/contact.html">Contact Us</a></li>
            <li><a href="/documents/GEAR-UP-Reach-for-the-Future-Brochure-Listed.pdf" target="_blank" rel="noopener">GEAR UP Brochure</a></li>
         </ul>
      </footer>
      <div class="bluegrey-rule">&nbsp;</div>
      <div class="copyrt"><span id="directedit">©</span> 2022 Pennsylvania State GEAR UP. All rights reserved.</div>
   </div>
</div>

<script id="rendered-js">
	var x = document.getElementById("mobilenav");
/* Toggle the hamburger icon to X */	
document.getElementById('menu-toggle').onclick = function () {
	if (this.classList.contains('clicked')) {
		this.classList.remove('clicked');
	} else {
		this.classList.add('clicked');
	}
/* Hide .topnavbar and show .vertical-menu on mobile screens (max-width:1050px)  */
		if (x.className === "topnavbar") {
		x.className += " vertical-menu";
	} else {
		x.className = "topnavbar";
	}
};
</script>      <div id="ou-hidden" style="display:none;"><a id="de" rel="nofollow" href="https://a.cms.omniupdate.com/11/?skin=oucampus&amp;account=passhe&amp;site=pagearup&amp;action=de&amp;path=/_showcase/index.pcf">&copy;</a></div><script>
			if(document.getElementById("de") != null && document.getElementById("directedit")) {
				var link = document.getElementById("de").parentNode.innerHTML;
				document.getElementById("de").parentNode.innerHTML = "";
				document.getElementById("directedit").innerHTML = link.replace(/^\s+|\s+$/gm,'');
			}
		</script></body>
</html>
          Parameter 
          x-frame-options
          Solution

          Ensure only a single X-Frame-Options header is present in the response.

  3. Risk=Low, Confidence=High (1)

    1. https://pagearup.oudeve.com (1)

      1. Strict-Transport-Security Header Not Set (1)
        1. GET https://pagearup.oudeve.com/robots.txt
          Alert tags
          Alert description

          HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
          Request
          Request line and header section (250 bytes) 
          GET https://pagearup.oudeve.com/robots.txt HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (352 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:18 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 10 Oct 2024 20:42:49 GMT
ETag: "19-6242569e8baf7"
Accept-Ranges: bytes
Content-Length: 25
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=UTF-8
          Response body (25 bytes) 
          User-agent: *
Disallow: /
          Solution

          Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.

  4. Risk=Low, Confidence=Medium (2)

    1. https://pagearup.oudeve.com (2)

      1. Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) (1)
        1. GET https://pagearup.oudeve.com/
          Alert tags
          Alert description

          The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
          Request
          Request line and header section (289 bytes) 
          GET https://pagearup.oudeve.com/ HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
referer: https://pagearup.oudeve.com/robots.txt
          Request body (0 bytes)
          Response
          Status line and header section (282 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:18 GMT
Server: Apache
X-Powered-By: PHP/7.4.32
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=UTF-8
content-length: 0
          Response body (0 bytes)
          Evidence 
          X-Powered-By: PHP/7.4.32
          Solution

          Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
      2. X-Content-Type-Options Header Missing (1)
        1. GET https://pagearup.oudeve.com/robots.txt
          Alert tags
          Alert description

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
          Other info

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          At "High" threshold this scan rule will not alert on client or server error responses.
          Request
          Request line and header section (250 bytes) 
          GET https://pagearup.oudeve.com/robots.txt HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (352 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:18 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 10 Oct 2024 20:42:49 GMT
ETag: "19-6242569e8baf7"
Accept-Ranges: bytes
Content-Length: 25
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=UTF-8
          Response body (25 bytes) 
          User-agent: *
Disallow: /
          Parameter 
          x-content-type-options
          Solution

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

  5. Risk=Informational, Confidence=Medium (1)

    1. https://pagearup.oudeve.com (1)

      1. User Agent Fuzzer (1)
        1. GET https://pagearup.oudeve.com/_showcase
          Alert tags
          Alert description

          Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
          Request
          Request line and header section (188 bytes) 
          GET https://pagearup.oudeve.com/_showcase HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (304 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:09:00 GMT
Server: Apache
X-Powered-By: PHP/7.4.32
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
content-length: 8312
          Response body (8312 bytes) 
          <!DOCTYPE HTML><html lang="en">
   <head>
      <meta charset="UTF-8">
      <meta http-equiv="x-ua-compatible" content="ie=edge">
      <title>Index</title>
      <link rel="canonical" href="https://pagearup.oudeve.com/_showcase/index.html">
      <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
      
<!-- this is the headcode include -->
<link rel="stylesheet" href="/_resources/css/psgu.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">

<link rel="stylesheet" href="/_resources/css/oustyles.css" /></head>
   <body translate="no"><div class="hdr-btm-brdr">
   <div id="header-wrapper">
      <header class="header"><a href="/index.html">
            <div id="hdr-psgu-logo_wht-stroked"></div></a><div class="topnavbar" id="mobilenav" style="margin-left:90px;">
            <ul>
               <li><a href="/_showcase/index.html">Home</a></li>
               <li><a href="/_showcase/about-us.html">About Us</a></li>
               <li><a href="/_showcase/design.html">Design</a></li>
               <li><a href="/_showcase/activities.html">Activities</a></li>
               <li><a href="/_showcase/districts.html">Districts</a></li>
               <li><a href="/_showcase/partners.html">Partners</a></li>
               <li><a href="/_showcase/successes.html">Successes</a></li>
               <li><a href="/_showcase/resources.html">Resources</a></li>
            </ul><button class="menu-toggle" id="menu-toggle"><span></span></button></div>
      </header>
   </div>
</div>      		
      		
      <div class="content-canvas">
         
         			
         <div id="mission-statement">
            				
            <h2 style="color:#001641;font:600 20px/30px montserrat,arial,sans-serif;">The vision of PA State GEAR UP is equitable <span style="color:#228d58;">College Access and Success</span> for students which aims to increase enrollment and first-year to second-year persistence
               in postsecondary education.</h2>
            			</div>
         
         			
         <div class="content-row">
            				
            <div class="content-row_leftbox" style="padding-top:30px;">
               					
               <h1>What is GEAR UP?</h1>
               
               					
               <h2>
                  						<span class="init-bold">GEAR UP</span> stands for<br>
                  						<span style="display:inline-block;margin:16px 0 0 40px;">
                     							<span class="init-bold">G</span>aining<br>
                     							<span class="init-bold">E</span>arly<br>
                     							<span class="init-bold">A</span>wareness and<br>
                     							<span class="init-bold">R</span>eadiness for<br>
                     							<span class="init-bold">U</span>ndergraduate<br>
                     							<span class="init-bold">P</span>rograms.
                     						</span>
                  					</h2>
               					
               <p>It is a federal grant program funded by the <b style="font-weight:600!important;">U.S. Department of Education</b> to support students and families. The Pennsylvania State GEAR UP grant was awarded
                  to <em>Shippensburg University</em> on behalf of the Pennsylvania State System of Higher Education.</p>
               				</div>
            
            				
            <div class="photo-overlay"></div>
            			</div>
         			<!-- end .content-row -->
         
         			
         <div class="content-row" style="display:flex;flex-direction:row;padding:0!important;">
            
            				
            <div class="home-photo-bkg-box"></div>
            
            				
            <div class="content-row_rtbox" style="padding:35px 70px 30px 70px;min-height:444px!important;padding-top:35px!important;">
               					
               <h1>Why have GEAR UP?</h1>
               
               					
               <h2>To help students <span style="font-weight:700;">Reach for the Future!</span></h2>
               
               					
               <p>GEAR UP’s goal is to raise expectations to increase student high school graduation
                  rates and enrollment in college.</p>
               
               					
               <p><strong>College is possible for all students, including you!</strong></p>
               				</div>
            			</div>
         			<!-- end .content-row -->
         
         			
         <div class="content-row-one-across">
            				
            <div style="padding-top:6px;margin-top:60px;border-top:3px solid #d4d4d4;height:2px;">&nbsp;</div>
            				
            <h4 class="grnbox-intro" style="font-size:200%;line-height:100%;color:#001641;text-align:center;margin:30px 0;">Learn more about <span style="font-weight:700;">PA STATE GEARUP</span></h4>
            				
            <div class="green-row" style="margin-bottom:30px;">
               					
               <div class="vid-leftbox">
                  						
                  <h2 class="grnbox">For Students</h2>
                  						
                  <div style="position:relative!important;overflow:hidden!important;width:95%!important;padding-top:56.25%!important;margin:0 auto;"> 
                     							<iframe src="https://www.youtube.com/embed/-u83AF49nv0" title="YouTube video player" frameborder="0" style="position:absolute!important;top:0px!important;left:0px!important;bottom:0;right:0;width:100%!important;height:100%!important;object-fit:contain!important;">
                        							</iframe>
                     						</div>
                  					</div>
               					
               <div class="vid-rtbox">
                  						
                  <h2 class="grnbox">For Families, Educators, and Partners</h2>
                  						
                  <div style="position:relative!important;overflow:hidden!important;width:95%!important;padding-top:56.25%!important;margin:0 auto;">
                     							<iframe src="https://www.youtube.com/embed/lJIFclaTSQQ" title="YouTube video player" frameborder="0" style="position:absolute!important;top:0px!important;left:0px!important;bottom:0;right:0;width:100%!important;height:100%!important;object-fit:contain!important;">
                        							</iframe>
                     						</div>
                  					</div>
               				</div>
            				<!-- end .content-row -->
            			</div>
         			<!-- end .content-row-one-across -->
         		</div>
      	<div class="ftr-top-brdr">
   <div id="footer-wrapper">
      <footer class="footer"><a href="/index.html">
            <div id="ftr-passhe-logo_horiz_white-type"></div></a><ul class="ftr-links">
            <li><a href="/_showcase/contact.html">Contact Us</a></li>
            <li><a href="/documents/GEAR-UP-Reach-for-the-Future-Brochure-Listed.pdf" target="_blank" rel="noopener">GEAR UP Brochure</a></li>
         </ul>
      </footer>
      <div class="bluegrey-rule">&nbsp;</div>
      <div class="copyrt"><span id="directedit">©</span> 2022 Pennsylvania State GEAR UP. All rights reserved.</div>
   </div>
</div>

<script id="rendered-js">
	var x = document.getElementById("mobilenav");
/* Toggle the hamburger icon to X */	
document.getElementById('menu-toggle').onclick = function () {
	if (this.classList.contains('clicked')) {
		this.classList.remove('clicked');
	} else {
		this.classList.add('clicked');
	}
/* Hide .topnavbar and show .vertical-menu on mobile screens (max-width:1050px)  */
		if (x.className === "topnavbar") {
		x.className += " vertical-menu";
	} else {
		x.className = "topnavbar";
	}
};
</script>      <div id="ou-hidden" style="display:none;"><a id="de" rel="nofollow" href="https://a.cms.omniupdate.com/11/?skin=oucampus&amp;account=passhe&amp;site=pagearup&amp;action=de&amp;path=/_showcase/index.pcf">&copy;</a></div><script>
			if(document.getElementById("de") != null && document.getElementById("directedit")) {
				var link = document.getElementById("de").parentNode.innerHTML;
				document.getElementById("de").parentNode.innerHTML = "";
				document.getElementById("directedit").innerHTML = link.replace(/^\s+|\s+$/gm,'');
			}
		</script></body>
</html>
          Parameter 
          Header User-Agent
          Attack 
          Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

  6. Risk=Informational, Confidence=Low (1)

    1. https://pagearup.oudeve.com (1)

      1. Re-examine Cache-control Directives (1)
        1. GET https://pagearup.oudeve.com/robots.txt
          Alert tags
          Alert description

          The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
          Request
          Request line and header section (250 bytes) 
          GET https://pagearup.oudeve.com/robots.txt HTTP/1.1
host: pagearup.oudeve.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (352 bytes) 
          HTTP/1.1 200 OK
Date: Fri, 15 Nov 2024 15:07:18 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 10 Oct 2024 20:42:49 GMT
ETag: "19-6242569e8baf7"
Accept-Ranges: bytes
Content-Length: 25
X-Frame-Options: SAMEORIGIN
SERVER-ID: {NODE-NAME}.{NODE-ENV}
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=UTF-8
          Response body (25 bytes) 
          User-agent: *
Disallow: /
          Parameter 
          cache-control
          Solution

          For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".

Appendix

Alert types

This section contains additional information on the types of alerts in the report.

  1. Content Security Policy (CSP) Header Not Set

    Source raised by a passive scanner (Content Security Policy (CSP) Header Not Set)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
    3. https://www.w3.org/TR/CSP/
    4. https://w3c.github.io/webappsec-csp/
    5. https://web.dev/articles/csp
    6. https://caniuse.com/#feat=contentsecuritypolicy
    7. https://content-security-policy.com/

  2. Cross-Domain Misconfiguration

    Source raised by a passive scanner (Cross-Domain Misconfiguration)
    CWE ID 264
    WASC ID 14
    Reference
    1. https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy

  3. Multiple X-Frame-Options Header Entries

    Source raised by a passive scanner (Anti-clickjacking Header)
    CWE ID 1021
    WASC ID 15
    Reference
    1. https://tools.ietf.org/html/rfc7034

  4. Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

    Source raised by a passive scanner (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
    CWE ID 200
    WASC ID 13
    Reference
    1. https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
    2. https://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

  5. Strict-Transport-Security Header Not Set

    Source raised by a passive scanner (Strict-Transport-Security Header)
    CWE ID 319
    WASC ID 15
    Reference
    1. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
    2. https://owasp.org/www-community/Security_Headers
    3. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    4. https://caniuse.com/stricttransportsecurity
    5. https://datatracker.ietf.org/doc/html/rfc6797

  6. X-Content-Type-Options Header Missing

    Source raised by a passive scanner (X-Content-Type-Options Header Missing)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
    2. https://owasp.org/www-community/Security_Headers

  7. Re-examine Cache-control Directives

    Source raised by a passive scanner (Re-examine Cache-control Directives)
    CWE ID 525
    WASC ID 13
    Reference
    1. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
    2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
    3. https://grayduck.mn/2021/09/13/cache-control-recommendations/

  8. User Agent Fuzzer

    Source raised by an active scanner (User Agent Fuzzer)
    Reference
    1. https://owasp.org/wstg
©