ELLO 站台健檢

外觀

動態掃描(已登入)

來源:動態掃描(已登入)

以 customer 角色登入後的掃描結果,涵蓋會員頁面、訂單頁面等前台登入區域。

Absence of Anti-CSRF Tokens

  • CWE:352
  • 影響:5 個 URL 受影響
  • 調整方式:Phase: Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.Phase: ImplementationEnsure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).Note that this can be bypassed using XSS.Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.Note that this can be bypassed using XSS.Use the ESAPI Session Management control.This control includes a component for CSRF.Do not use the GET method for any request that triggers a state change.Phase: ImplementationCheck the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/
  • POST https://ellohello.com/my-account-2/

CSP: Failure to Define Directive with No Fallback

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/my-account-2/
  • GET https://ellohello.com/my-account-2/lost-password/
  • POST https://ellohello.com/my-account-2/

CSP: Wildcard Directive

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/my-account-2/
  • GET https://ellohello.com/my-account-2/lost-password/
  • POST https://ellohello.com/my-account-2/

CSP: script-src unsafe-inline

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/my-account-2/
  • GET https://ellohello.com/my-account-2/lost-password/
  • POST https://ellohello.com/my-account-2/

CSP: style-src unsafe-inline

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/my-account-2/
  • GET https://ellohello.com/my-account-2/lost-password/
  • POST https://ellohello.com/my-account-2/

Content Security Policy (CSP) Header Not Set

  • CWE:693
  • 影響:5 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com
  • GET https://ellohello.com/
  • GET https://ellohello.com/wp-content/uploads/wc-logs/
  • GET https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • GET https://ellohello.com/wp-content/uploads/woocommerce_uploads/

Missing Anti-clickjacking Header

  • CWE:1021
  • 影響:5 個 URL 受影響
  • 調整方式:Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com
  • GET https://ellohello.com/
  • GET https://ellohello.com/?s
  • GET https://ellohello.com/ello-shop/
  • GET https://ellohello.com/why-ello/

Sub Resource Integrity Attribute Missing

  • CWE:345
  • 影響:5 個 URL 受影響
  • 調整方式:Provide a valid integrity attribute to the tag.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/
  • POST https://ellohello.com/my-account-2/

Vulnerable JS Library

  • CWE:1395
  • 影響:1 個 URL 受影響
  • 調整方式:Upgrade to the latest version of the affected library.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://ellohello.com/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js?ver=4.0.3-wc.9.5.3

若為第三方元件產生的告警,需評估風險並採取替代防護措施(如 WAF 規則、存取限制)。

© 2026 cloudwp