Test OWASP Top-10 Security related risks

[astrajescu]

Run tests related to OWASP Top-10 security risks, where applicable.

[olegderid]

• SSL (https) protocol has no auto redirect to https for the moment -> http://microsimulation.pub/ to https://microsimulation.pub/
  risk: medium
  issue ref: Rewrite rules for Nginx #76

• XSS injection possible in form from partner site launched by the [Submit your research] button:
  **risk:**High
  tech details:
  inject ->
  <b onmouseover=alert('Wufff!')>click me!</b> into any edit box
  https://www.epress.ac.uk/ijm/webforms/author3.php
  video evidence:

• CWE-200 -
  risk: low
  tech details: server leaks technology stack info in response headers:

Server: nginx/1.15.5
X-Powered-By: PHP/7.0.29

issue ref: #76

vulnerability: Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

• CWE-352 -
  risk: low
  tech details: http://microsimulation.pub/search?for=%3Cscript%3Ewindow.onload+%3D+function%28%29+%7Bvar+link%3Ddocument.getElementsByTagName%28%22a%22%29%3Blink%5B0%5D.href%3D%22http%3A%2F%2Fnot-real-xssattackexamples.com%2F%22%3B%7D%3C%2Fscript%3E

vulnerability:
No Anti-CSRF tokens were found in a HTML submission form.
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim.

**Tool used: ** https://www.zaproxy.org/