Vulnerability Assessment Report
Court Crate
courtcrate.com
Prepared by: Kayvon Karimi
Assessment Date: August 6, 2024
Report Version: 1.0 (Final)
Cyber by Kayvon (Date: October 14, 2025)
Court Crate Vulnerability Assessment Report
Table of Contents
1. Executive Summary
2. Scope & Objectives
3. Target Inventory
4. Tools & Methodology
5. Vulnerability Summary
6. Open Ports & Services
7. Detailed Findings & Recommendations
8. Conclusion & Next Steps
9. Appendix A – Glossary
10. Appendix B – Evidence & References
Court Crate Vulnerability Assessment Report
1. Executive Summary

This report presents the results of a comprehensive vulnerability assessment conducted against Court Crate's public-facing infrastructure (courtcrate.com). The assessment was performed on August 6, 2024, utilizing industry-standard tools including Nmap for network reconnaissance, Tenable Nessus Essentials for vulnerability scanning, and Selenium for browser-based verification. Manual validation was conducted using curl and browser developer tools.

Key Findings:
• 0 Critical vulnerabilities identified
• 0 High-severity vulnerabilities identified
• 2 Medium-severity vulnerabilities requiring timely remediation
• 1 Low-severity vulnerability
• 23 Informational findings for hardening

The assessment identified moderate but correctable security risks. No critical flaws were discovered that would allow immediate exploitation or system compromise. However, the presence of missing security headers (anti-clickjacking and HSTS), WordPress user enumeration capabilities, and permissive HTTP method configurations present exploitable weaknesses that warrant prompt remediation.

The primary medium-severity finding is the lack of clickjacking protections (X-Frame-Options and Content-Security-Policy frame-ancestors headers), which could allow attackers to overlay invisible iframes and trick users into unintended actions. The secondary medium finding is WordPress user enumeration via the ?author= parameter, exposing administrator usernames to potential brute-force attacks.

Implementation of the recommended configuration hardening measures will significantly strengthen the organization's security posture and align the system with OWASP Top 10 mitigations and CISA web-server baseline standards.

2. Scope & Objectives
2.1 Scope

In Scope: Public-facing web host (courtcrate.com), externally reachable services, DNS resolution, TLS/SSL configuration, HTTP response headers, and WordPress application-level exposure.

Out of Scope: Internal network infrastructure, authenticated scanning, exploitation attempts, social engineering, physical security testing, and backend database systems.

2.2 Objectives
3. Target Inventory
Item Value
Domain courtcrate.com
IP Address 74.208.236.198
Reverse DNS 74-208-236-198.elastic-ssl.ui-r.com
OS (Scanner Reported) AIX 5.3 (likely false positive; actual OS unavailable)
Hosting Provider IONOS Hosting
CMS Platform WordPress 6.x
Web Server Apache / LiteSpeed
Application Environment PHP 8.x / MySQL 5.7+
4. Tools & Methodology
4.1 Network Reconnaissance (Nmap)

Nmap was used to perform non-intrusive host discovery and service enumeration. Scans identified all accessible TCP ports, running services, and service version information. Multiple scan profiles were executed including SYN stealth scans, service version detection (-sV), and top-1000 port enumeration.

4.2 Vulnerability Scanning (Nessus Essentials)

Tenable Nessus Essentials conducted comprehensive vulnerability scanning, identifying 26 distinct findings across multiple severity levels. The scanner performed banner grabbing, service fingerprinting, and configuration analysis to detect known vulnerabilities, missing patches, and security misconfigurations.

4.3 Browser-Based Verification (Selenium)

Automated browser testing via Selenium was performed to verify the presence or absence of security headers and to confirm UI elements that could be vulnerable to frame-overlay attacks. This testing simulated real-world user interactions with the web application.

4.4 Manual Validation

Manual verification using curl command-line requests and browser Developer Tools confirmed TLS protocol versions, cipher suites, HTTP response headers, session cookie attributes, and server banner information.

5. Vulnerability Summary
5.1 Severity Classification
Severity Count Key Findings
Critical 0 None identified
High 0 None identified
Medium 2 Clickjacking, WordPress User Enumeration
Low 1 Basic Authentication Without HTTPS
Informational 23 Missing HSTS, Insecure Cookie Flags, Server Version Disclosure, Permissive HTTP Methods
5.2 Vulnerability Analysis
Severity Count Remediation Timeline
Medium 2 30 days
Low 1 60 days
Informational 23 90 days (ongoing hardening)
6. Open Ports & Services

Network reconnaissance identified the following open TCP ports and associated services on the target host:

Port State Service Protocol
20/tcp Closed FTP Data TCP
21/tcp Open FTP TCP
25/tcp Open SMTP TCP
53/tcp Open DNS TCP
80/tcp Open HTTP TCP
110/tcp Open POP3 TCP
143/tcp Open IMAP TCP
443/tcp Open HTTPS TCP
465/tcp Open SMTPS TCP
587/tcp Open Submission TCP
993/tcp Open IMAPS TCP
995/tcp Open POP3S TCP

Observation: The presence of open mail-related ports (SMTP, IMAP, POP3 and their encrypted variants) expands the attack surface and creates potential vectors for credential brute-forcing, relay abuse, and information gathering. The legacy FTP service (port 21) should be disabled in favor of SFTP/FTPS for secure file transfers.

7. Detailed Findings & Recommendations
7.1 Finding #1: Clickjacking Vulnerability (Nessus Plugin 85582)
Severity: MEDIUM | CVSS v2: 4.3 | Plugin ID: 85582

Description: The web application fails to implement frame-restriction headers (X-Frame-Options or Content-Security-Policy frame-ancestors directives). This allows attackers to embed the target page within a malicious webpage using HTML iframes, enabling UI Redress or Clickjacking attacks.

Attack Vector: An attacker creates a malicious website that invisibly overlays the target site's interactive elements (buttons, links, forms) on top of attacker-controlled content. When a victim visits the malicious site, they unknowingly interact with the hidden target site, potentially causing them to:

Affected Pages: All pages with interactive elements including login forms, transaction interfaces, account settings, and administrative functions.

Root Cause: The web server is not sending appropriate HTTP response headers to restrict frame embedding. Both the X-Frame-Options header and the Content-Security-Policy frame-ancestors directive are absent from all observed responses.

Remediation (Priority: IMMEDIATE – 7 days):

Option A: Using X-Frame-Options Header (Recommended for broad compatibility)
Add the following HTTP header to all responses from the web server:
X-Frame-Options: SAMEORIGIN

This directive instructs browsers to only allow the page to be framed by pages from the same origin. Alternative values:
DENY – prevent framing entirely (most restrictive)
SAMEORIGIN – allow framing only from same domain (recommended for most applications)
ALLOW-FROM uri – allow framing only from specified domain (deprecated; use CSP instead)

Option B: Using Content-Security-Policy Header (Modern standard, more flexible)
Add or update the Content-Security-Policy header:
Content-Security-Policy: frame-ancestors 'self';

This restricts framing to the same origin and provides more granular control than X-Frame-Options.

Recommended Implementation (Option A + Option B for defense-in-depth):
For Apache web server, add to .htaccess or apache2.conf:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "frame-ancestors 'self';"

For WordPress/PHP applications, add to functions.php or appropriate header file:
header("X-Frame-Options: SAMEORIGIN");
header("Content-Security-Policy: frame-ancestors 'self';");

Validation Steps:
1. Deploy headers to production
2. Verify headers using curl: curl -I https://courtcrate.com
3. Confirm X-Frame-Options and CSP frame-ancestors appear in response
4. Test in browser: attempt to frame page in external iframe (should be blocked)
5. Re-run Nessus scan to confirm remediation

Timeline: 7 days to implementation and validation
7.2 Finding #2: WordPress User Enumeration (Nessus Plugin 90067)
Severity: MEDIUM | CVSS v2: 5.0 | Plugin ID: 90067

Description: The WordPress installation exposes administrator usernames through the ?author= parameter. Attackers can enumerate valid user accounts by iterating through numeric author IDs, leaking information required for targeted brute-force or social engineering attacks.

Attack Vector: By accessing URLs such as courtcrate.com/?author=1, ?author=2, etc., attackers receive HTTP 301 redirects to author archive pages that disclose the actual username. This allows systematic enumeration of all WordPress user accounts.

Remediation (Priority: HIGH – 14 days):
1. Install security hardening plugin (e.g., Wordfence, iThemes Security) to disable author archives
2. Add .htaccess rewrite rule to block author parameter queries:
RewriteCond %{QUERY_STRING} ^author=\d
RewriteRule ^(.*)$ – [L,F]
3. Enforce strong password policy and implement two-factor authentication (2FA) for all admin accounts
4. Deploy rate-limiting on login endpoints to prevent brute-force attacks
5. Regularly audit WordPress user list; remove inactive accounts
7.3 Finding #3: Basic Authentication Without HTTPS (Nessus Plugin 34850)
Severity: LOW | CVSS v2: 2.6 | Plugin ID: 34850

Description: Legacy services on ports 110 (POP3) and potentially others accept Basic Authentication over unencrypted connections, allowing credential interception via man-in-the-middle (MITM) attacks.

Remediation (Priority: MEDIUM – 30 days):
1. Disable unencrypted protocols: FTP (21), SMTP (25), POP3 (110), IMAP (143)
2. Enforce encrypted alternatives: SFTP/FTPS, SMTPS (465), POP3S (995), IMAPS (993)
3. Redirect all HTTP traffic to HTTPS; disable plaintext HTTP for sensitive operations
4. Implement HSTS (HTTP Strict-Transport-Security) to force HTTPS-only connections
7.4 Finding #4: Missing Security Headers (Informational)
Severity: INFORMATIONAL | Plugin ID: 69826, 85601, 43111

Missing Headers: HTTP Strict-Transport-Security (HSTS), Secure/HttpOnly/SameSite cookie flags, X-Content-Type-Options, X-XSS-Protection

Impact: Cookies vulnerable to XSS and CSRF; browsers may downgrade to HTTP; server fingerprinting enables targeted attacks.

Remediation:
Add the following headers to all web server responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
8. Conclusion & Next Steps

Court Crate's web infrastructure presents moderate but fully correctable security risks. No critical or high-severity vulnerabilities were identified that would allow immediate system compromise. However, the two medium-severity findings—clickjacking and WordPress user enumeration—warrant prompt remediation to prevent exploitation.

Immediate Actions (0–30 days):
Short-term Actions (30–60 days):
Long-term Actions (60–90 days & ongoing):

Conclusion: By implementing the recommended remediations, Court Crate can significantly enhance its security posture, align with industry best practices, and reduce exposure to common web-based attacks. Regular assessment and maintenance will ensure that improvements persist as the environment evolves.

9. Appendix A – Glossary
Term Definition
CVSS Common Vulnerability Scoring System – standardized method for rating severity of vulnerabilities (0–10 scale)
Clickjacking UI redress attack where attacker overlays invisible iframes to trick users into unintended actions
CSP Content Security Policy – HTTP header controlling which content sources (scripts, iframes) browsers can load