// sample report
Website Vulnerability Scan — Sample Report
Example scenario
A small SaaS team runs a non-invasive scan of their public marketing site and login page before a launch.
Executive summary
The scan reviewed the publicly observable surface only. Three issues were prioritised: a missing Content-Security-Policy, a cookie set without the Secure attribute, and an outdated jQuery version with known advisories. None indicate an active compromise; all are hardening items to close before launch.
Findings
| ID | Finding | Severity | Mapping |
|---|---|---|---|
| VS-01 | Missing Content-Security-Policy header | Medium | OWASP A05:2021 · CWE-693 · NIST SC-18 |
| VS-02 | Session cookie missing Secure attribute | Medium | OWASP A05:2021 · CWE-614 · NIST SC-8 |
| VS-03 | Outdated front-end library | Low | OWASP A06:2021 · CWE-1104 · NIST SI-2 |
Details
VS-01 · Missing Content-Security-Policy header
MediumEvidence. No Content-Security-Policy header returned on / and /login responses.
Risk. Without a CSP, injected scripts have fewer barriers, increasing the impact of any cross-site scripting flaw.
OWASP A05:2021 · CWE-693 · NIST SC-18
VS-02 · Session cookie missing Secure attribute
MediumEvidence. Set-Cookie for the session identifier lacked the Secure flag over HTTPS.
Risk. A cookie without Secure can be transmitted over an unencrypted channel and exposed to interception.
OWASP A05:2021 · CWE-614 · NIST SC-8
VS-03 · Outdated front-end library
LowEvidence. A bundled JavaScript library reported a version with published security advisories.
Risk. Known client-side issues can be leveraged if a matching sink exists in the application.
OWASP A06:2021 · CWE-1104 · NIST SI-2
Related NeoShield tool
Open AI Vulnerability Scanner →