While performing tests with nikto v2.1.6 i came to see few strange results which are as follows:
The anti-clickjacking X-Frame-Options header is not present.
- The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
- The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
- The site uses SSL and Expect-CT header is not present.
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
- No CGI Directories found (use ‘-C all’ to force check all possible dirs)
- Server is using a wildcard certificate: *.wpengine.com
- Uncommon header ‘wpe-backend’ found, with contents: apache
- Uncommon header ‘x-cache’ found, with contents: HIT: 2
- Uncommon header ‘link’ found, with multiple values: (https://example.wpengine.com/wp-json/; rel=“https://api.w.org/”,https://example.wpengine.com/; rel=shortlink,)
- Uncommon header ‘x-pass-why’ found, with contents:
- Uncommon header ‘x-cacheable’ found, with contents: SHORT
- Uncommon header ‘x-cache-group’ found, with contents: normal
- Uncommon header ‘x-type’ found, with contents: default
- Uncommon header ‘x-wpe-loopback-upstream-addr’ found, with contents: 127.0.0.1:6783
- Uncommon header ‘x-redirect-by’ found, with contents: WordPress
1.) What does these messages means?
2.) I was able to access .json file. How can i extract the data present? How can i prove this vulnerability?