Click and cookie jacking
Using nikto I was able to find the follow two issues:
- The anti-clickjacking X-Frame-Options header is not present.
- Cookie PHPSESSID created without the httponly flag
This will allow me to exploit the fact that I can generate my own cookie, using another users session. i.e. Logging in as another user. And to create a click jacking site which will pretend to be the original site.
To get the PHPSESSID open up the web console (Ctrl+Shift+k) and enter: