Retrieved https://performancetest-qa.processmaker.net/metrics by using a GET request on the URL without prior knowledge.

The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/vendor/processmaker/packages/package-ai/js/webhook.js'. An attacker may be able to inject JavaScript using the the code 'location.href' at line 2:288441 and control its display using the code 'setTimeout' at line 2:34103

The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/vendor/processmaker/packages/package-savedsearch/js/addSaveButton.js'. An attacker may be able to inject JavaScript using the the code 'location.href' at line 2:315254 and control its display using the code 'setTimeout' at line 2:230985

The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/builds/login/js/app-login.js'. An attacker may be able to inject JavaScript using the the code 'document.cookie' at line 2:12994 and control its display using the code 'setTimeout' at line 2:1267

The cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is weak.

The cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is weak.

The server is configured to use average ciphers like SEED + 128+256 Bit CBC ciphers (AES, CAMELLIA and ARIA) which are deprecated

OCSP_stapling is not offered by the server.

The content security policy is missing the report-to directive. This was found on URL https://performancetest-qa.processmaker.net

The cookie with the name 'device_id' does not have the flag 'HttpOnly' set. This may leak sensitive information. This was found on URL https://performancetest-qa.processmaker.net.

The Referrer-Policy header is not set for URL https://performancetest-qa.processmaker.net.

Found open port '80/tcp' with service name 'awselb/2.0'