See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fsuplementos-musculacao.com&useragent=Fetch+useragent&accept_encoding=
and then we did a scan at ASafaWeb: https://asafaweb.com/Scan?Url=suplementos-musculacao.com
Custom errors: Fail
Requested URL: -http://suplementos-musculacao.com/site.aspx?aspxerrorpath=/trace.axd&foo= | Response URL: -http://suplementos-musculacao.com/site.aspx?aspxerrorpath=/trace.axd&foo= | Page title: Runtime Error | HTTP status code: 500 (Internal server error) | Response size: 1,763 bytes | Duration: 924 ms
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.
Result
It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.
Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page
Excessive headers: Warning
Requested URL: -http://suplementos-musculacao.com/ | Response URL: -http://suplementos-musculacao.com/ | Page title: None | HTTP status code: 200 (OK) | Response size: 311 bytes | Duration: 3,159 ms
Overview
By default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.
Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
Clickjacking: Warning
Requested URL: -http://suplementos-musculacao.com/ | Response URL: -http://suplementos-musculacao.com/ | Page title: None | HTTP status code: 200 (OK) | Response size: 311 bytes | Duration: 3,159 ms
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
Let us see what domain neighbours this domain has on one and the same IP: https://www.virustotal.com/en/ip-address/50.63.202.32/information/
This link should be blocked by your adblocker add it: -https://www.google.com/adsense/domains/caf.js
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.google.com%2Fadsense%2Fdomains%2Fcaf.js
Also blocked for me link in code to parking: uMatrix has prevented the following page from loading:
-http://mcc.godaddy.com/park/MzuwrKW6pzSaLzLgrzuzpTu5oaOhLv5jLab=
This Web page is parked FREE, courtesy of GoDaddy. AOS does not flag! → http://toolbar.netcraft.com/site_report?url=http://suplementos-musculacao.com
This was stopped by Disconnect and sent to about:blank: -data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vYW5hbHl0aWNzL2Rldmd1aWRlcy9jb2xsZWN0aW9uL2FuYWx5dGljc2pzLwoJdmFyIG5vb3BmbiA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgbm9vcG51bGxmbiA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBudWxsOwoJfTsKCS8vCgl2YXIgVHJhY2tlciA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgcCA9IFRyYWNrZXIucHJvdG90eXBlOwoJcC5nZXQgPSBub29wZm47CglwLnNldCA9IG5vb3BmbjsKCXAuc2VuZCA9IG5vb3BmbjsKCS8vCgl2YXIgZ2FOYW1lID0gd2luZG93Lkdvb2dsZUFuYWx5dGljc09iamVjdCB8fCAnZ2EnOwoJdmFyIGdhID0gZnVuY3Rpb24oKSB7CgkJdmFyIGxlbiA9IGFyZ3VtZW50cy5sZW5ndGg7CgkJaWYgKCBsZW4gPT09IDAgKSB7CgkJCXJldHVybjsKCQl9CgkJdmFyIGYgPSBhcmd1bWVudHNbbGVuLTFdOwoJCWlmICggdHlwZW9mIGYgIT09ICdvYmplY3QnIHx8IGYgPT09IG51bGwgfHwgdHlwZW9mIGYuaGl0Q2FsbGJhY2sgIT09ICdmdW5jdGlvbicgKSB7CgkJCXJldHVybjsKCQl9CgkJdHJ5IHsKCQkJZi5oaXRDYWxsYmFjaygpOwoJCX0gY2F0Y2ggKGV4KSB7CgkJfQoJfTsKCWdhLmNyZWF0ZSA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBuZXcgVHJhY2tlcigpOwoJfTsKCWdhLmdldEJ5TmFtZSA9IG5vb3BudWxsZm47CglnYS5nZXRBbGwgPSBmdW5jdGlvbigpIHsKCQlyZXR1cm4gW107Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJd2luZG93W2dhTmFtZV0gPSBnYTsKfSkoKTs=
polonus (volunteer website security analyst and website error-hunter)