Missing SRI Hash and Servlet 2.4; JBoss-4.3.0.GA_CP 05 exploit vulnerability!

Missing SRI Hash victim?
Re: https://www.eff.org/https-everywhere/atlas/domains/quamnet.com.html
Re: http://toolbar.netcraft.com/site_report?url=quamnet.com
Exploit detected via excessive headers warning: Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: Apache/2.2.15 (Red Hat)
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP05 (build: SVNTag=JBPAPP_4_3_0_GA_CP05 date=200906222114)/JBossWeb-2.0
-https://victi.ms/hash/ etc.

Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):

JSESSIONID : 5CC3E2BD57D4052C5220549505333EC7
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

SRI Hash issue: Scripts 1 issues
Tag Result

Missing SRI hash

But there is not much we can do:

Error: this resource is not eligible for integrity checks. See -http://enable-cors.org/server.html
* http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fenable-cors.org%2Fserver.html

Consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fquamnet.com%2Findex.action

*http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.quamnet.com%2Fmedia%2FSubscription%2FZH_TW%2Ffeaturestory.js

polonus