SE redirection detected and retirable code and other insecurities...

SE visitors redirects e.g. abuse on Amazon dot com
Visitors from search engines are redirected
to: -http://www.leaguelineup.com/skyhawksfootball
1296 sites infected with redirects to this URL

-http://www.leaguelineup.com/welcome.asp?url=skyhawksfootball
Detected libraries:
jquery - 1.11.3 : (active1) -https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js
(active) - the library was also found to be active by running code
No vulnerable libraries found

Scanner output:
Scanning -http://www.leaguelineup.com/welcome.asp?url=skyhawksfootball
Script loaded: -https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js
Script loaded: -https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js
Script loaded: -https://www.leaguelineup.com/js/home.js
Status: success
Detected library: jquery - 1.11.3
Load time: 7824ms

Fail and three warnings: https://asafaweb.com/Scan?Url=www.leaguelineup.com%2Fwelcome.asp%3Furl%3Dskyhawksfootball
Overview
Custom errors are used to ensure that internal error messages are not exposed to end users. Instead, a custom error message should be returned which provides a friendlier user experience and keeps potentially sensitive internal implementation information away from public view.

Result
It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.

Custom errors are easy to enable, just configure the web.config to ensure the mode is either “On” or “RemoteOnly” and ensure there is a valid “defaultRedirect” defined for a custom error page as follows:

Overview
Cookies not flagged as “HttpOnly” may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the “HttpOnly” flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):

ASPSESSIONIDQCQRATBT : PKNBCGODPHNMCICDEHPPJJID
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Possible Frontend SPOF from:

ajax.googleapis.com - Whitelist
(58%) -
(58%) -
(58%) -

66% of the trackers on this site could be protecting you from NSA snooping. Tell leaguelineup.com to fix it.
Unique IDs about your web browsing habits have been insecurely sent to third parties.

p5tsfmmt4i50uXXXXXXXXXXXXX -www.leaguelineup.com phpsessid
-local.adguard.com __cfduid

12 tracking parties -
Google
Google
-netdna.bootstrapcdn.com
-maxcdn.bootstrapcdn.com
-www.leaguelineup.com
Facebook
Google
Google
-local.adguard.com
-my.llfiles.com
Google
-www.adapttraining.com www.adapttraining.com

polonus