See: https://asafaweb.com/Scan?Url=truparportal.azurewebsites.net
Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page as follows:
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):
ARRAffinity : 5240d690100c4c51092a2085d43ee37beeb0befddd5e0fe39db70c0558a9d512
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack. → http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftruparportal.azurewebsites.net →
https://www.virustotal.com/nl/url/65246b7375ebb5cec3e948528517201bb8490881bbdfee77ee813b38d7c8d24d/analysis/1450023818/
Other scanners do not flag: http://urlquery.net/report.php?id=1450023959012 & https://sitecheck.sucuri.net/results/truparportal.azurewebsites.net#sitecheck-details
pol