ELLO 站台健檢

外觀

動態掃描(未登入)

OWASP ZAP 未登入狀態的被動掃描結果,檢測公開頁面的安全弱點。

摘要結論

  • ZAP 被動掃描偵測到 9 個中風險告警

共 1 項 / 1 中

中風險告警

  • 問題:ZAP 被動掃描偵測到 9 個中風險告警
  • 原因:站台缺少部分安全防護設定(CSP、Anti-CSRF、Cookie 屬性等)
  • 建議:依告警清單調整安全標頭與 Cookie 設定
  • 影響:此項影響等級:中
  • 驗收:中風險告警 = 0

風險摘要

依風險等級統計告警數量。

等級數量
9
14
資訊10

告警清單

各告警的影響範圍與修復建議。

Absence of Anti-CSRF Tokens

  • CWE:352
  • 影響 URL:5 個
  • 修復建議:Phase: Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.Phase: ImplementationEnsure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).Note that this can be bypassed using XSS.Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.Note that this can be bypassed using XSS.Use the ESAPI Session Management control.This control includes a component for CSRF.Do not use the GET method for any request that triggers a state change.Phase: ImplementationCheck the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
受影響 URL(2)
  • https://ellohello.com
  • https://ellohello.com/

CSP: Failure to Define Directive with No Fallback

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://ellohello.com/my-account-2/
  • https://ellohello.com/my-account-2/lost-password/
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

CSP: Wildcard Directive

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://ellohello.com/my-account-2/
  • https://ellohello.com/my-account-2/lost-password/
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

CSP: script-src unsafe-inline

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://ellohello.com/my-account-2/
  • https://ellohello.com/my-account-2/lost-password/
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

CSP: style-src unsafe-inline

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://ellohello.com/my-account-2/
  • https://ellohello.com/my-account-2/lost-password/
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

Content Security Policy (CSP) Header Not Set

  • CWE:693
  • 影響 URL:5 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/

Missing Anti-clickjacking Header

  • CWE:1021
  • 影響 URL:5 個
  • 修復建議:Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?post_type=product&product_cat&s=ZAP
  • https://ellohello.com/?s
  • https://ellohello.com/why-ello/

Sub Resource Integrity Attribute Missing

  • CWE:345
  • 影響 URL:5 個
  • 修復建議:Provide a valid integrity attribute to the tag.
受影響 URL(2)
  • https://ellohello.com
  • https://ellohello.com/

Vulnerable JS Library

  • CWE:1395
  • 影響 URL:1 個
  • 修復建議:Upgrade to the latest version of the affected library.
受影響 URL(1)
  • https://ellohello.com/wp-content/plugins/woocommerce/assets/js/select2/select2.full.min.js?ver=4.0.3-wc.9.5.3

Application Error Disclosure

  • CWE:550
  • 影響 URL:12 個
  • 修復建議:Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.
受影響 URL(12)
  • https://ellohello.com/admin/
  • https://ellohello.com/api/
  • https://ellohello.com/bundle-set/
  • https://ellohello.com/ello-shop/
  • https://ellohello.com/login/
  • https://ellohello.com/oral-care/
  • https://ellohello.com/register/
  • https://ellohello.com/scalpcare-collection/
  • https://ellohello.com/skin-care-collection/
  • https://ellohello.com/user/
  • ...及其他 2 個

Cookie No HttpOnly Flag

  • CWE:1004
  • 影響 URL:3 個
  • 修復建議:Ensure that the HttpOnly flag is set for all cookies.
受影響 URL(1)
  • https://ellohello.com/?add-to-cart=4101

Cookie Without Secure Flag

  • CWE:614
  • 影響 URL:3 個
  • 修復建議:Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
受影響 URL(1)
  • https://ellohello.com/?add-to-cart=4101

Cookie without SameSite Attribute

  • CWE:1275
  • 影響 URL:5 個
  • 修復建議:Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
受影響 URL(2)
  • https://ellohello.com/?add-to-cart=4101
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

Cross-Domain JavaScript Source File Inclusion

  • CWE:829
  • 影響 URL:5 個
  • 修復建議:Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
受影響 URL(2)
  • https://ellohello.com
  • https://ellohello.com/

Cross-Origin-Embedder-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
受影響 URL(3)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s

Cross-Origin-Opener-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.'same-origin-allow-popups' is considered as less secured and should be avoided.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).
受影響 URL(3)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s

Cross-Origin-Resource-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:4 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.'same-site' is considered as less secured and should be avoided.If resources must be shared, set the header to 'cross-origin'.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
受影響 URL(4)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s
  • https://ellohello.com/robots.txt

Dangerous JS Functions

  • CWE:749
  • 影響 URL:3 個
  • 修復建議:See the references for security advice on the use of these functions.
受影響 URL(3)
  • https://ellohello.com/wp-content/plugins/popup-builder/public/js/PopupBuilder.js?ver=4.3.9
  • https://ellohello.com/wp-content/plugins/popup-builder/public/js/Subscription.js?ver=4.3.9
  • https://ellohello.com/wp-content/plugins/revslider/public/js/sr7.js?ver=6.7.25

In Page Banner Information Leak

  • CWE:497
  • 影響 URL:4 個
  • 修復建議:Configure the server to prevent such information leaks. For example:Under Tomcat this is done via the "server" directive and implementation of custom error pages.Under Apache this is done via the "ServerSignature" and "ServerTokens" directives.
受影響 URL(4)
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/
  • https://ellohello.com/wp-includes/

Permissions Policy Header Not Set

  • CWE:693
  • 影響 URL:5 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/

Strict-Transport-Security Header Not Set

  • CWE:319
  • 影響 URL:5 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/robots.txt
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/

Timestamp Disclosure - Unix

  • CWE:497
  • 影響 URL:5 個
  • 修復建議:Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
受影響 URL(4)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s
  • https://ellohello.com/*/feed

X-Content-Type-Options Header Missing

  • CWE:693
  • 影響 URL:5 個
  • 修復建議:Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s
  • https://ellohello.com/robots.txt
  • https://ellohello.com/why-ello/

Authentication Request Identified 資訊

  • CWE:-1
  • 影響 URL:4 個
  • 修復建議:This is an informational alert rather than a vulnerability and so there is nothing to fix.
受影響 URL(2)
  • https://ellohello.com/
  • https://ellohello.com/?s

Charset Mismatch 資訊

  • CWE:436
  • 影響 URL:1 個
  • 修復建議:Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.
受影響 URL(1)
  • https://ellohello.com/wp-json/oembed/1.0/embed?format=xml&url=https%3A%2F%2Fellohello.com%2F

Information Disclosure - Suspicious Comments 資訊

  • CWE:615
  • 影響 URL:11 個
  • 修復建議:Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
受影響 URL(10)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?page_id=3
  • https://ellohello.com/?s
  • https://ellohello.com/*/feed
  • https://ellohello.com/my-account-2/
  • https://ellohello.com/my-account-2/lost-password/
  • https://ellohello.com/why-ello/
  • https://ellohello.com/wp-content/plugins/popup-builder/public/js/PopupBuilder.js?ver=4.3.9
  • https://ellohello.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver=2.7.0-wc.9.5.3

Modern Web Application 資訊

  • CWE:-1
  • 影響 URL:5 個
  • 修復建議:This is an informational alert and so no changes are required.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/

Non-Storable Content 資訊

  • CWE:524
  • 影響 URL:5 個
  • 修復建議:The content may be marked as storable by ensuring that the following conditions are satisfied:The request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)The "no-store" cache directive must not appear in the request or response header fieldsFor caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the responseFor caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:It must contain an "Expires" header fieldIt must contain a "max-age" response directiveFor "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directiveIt must contain a "Cache Control Extension" that allows it to be cachedIt must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).
受影響 URL(5)
  • https://ellohello.com/wp-admin/
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/
  • https://ellohello.com/wp-includes/

Re-examine Cache-control Directives 資訊

  • CWE:525
  • 影響 URL:5 個
  • 修復建議:For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s
  • https://ellohello.com/robots.txt
  • https://ellohello.com/why-ello/

Retrieved from Cache 資訊

  • CWE:525
  • 影響 URL:7 個
  • 修復建議:Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
受影響 URL(6)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/sitemap.xml
  • https://ellohello.com/wp-content/uploads/wc-logs/
  • https://ellohello.com/wp-content/uploads/woocommerce_transient_files/
  • https://ellohello.com/wp-content/uploads/woocommerce_uploads/

Session Management Response Identified 資訊

  • CWE:-1
  • 影響 URL:2 個
  • 修復建議:This is an informational alert rather than a vulnerability and so there is nothing to fix.
受影響 URL(2)
  • https://ellohello.com/?add-to-cart=4101
  • https://ellohello.com/wp-login.php?reauth=1&redirect_to=https%3A%2F%2Fellohello.com%2Fwp-admin%2F

Storable and Cacheable Content 資訊

  • CWE:524
  • 影響 URL:5 個
  • 修復建議:Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
受影響 URL(5)
  • https://ellohello.com
  • https://ellohello.com/
  • https://ellohello.com/?s
  • https://ellohello.com/robots.txt
  • https://ellohello.com/sitemap.xml

User Controllable HTML Element Attribute (Potential XSS) 資訊

  • CWE:20
  • 影響 URL:1 個
  • 修復建議:Validate all input and sanitize output it before writing to any HTML attributes.
受影響 URL(1)
  • https://ellohello.com/?post_type=product&product_cat&s=ZAP

相關頁

動態掃描(已登入)已知漏洞風險總覽

© 2026 cloudwp