From cf2c597bc345a340821d0b13c0c5f3c3f8e6ff4c Mon Sep 17 00:00:00 2001 From: learningandgo Date: Wed, 17 Jan 2024 11:53:19 +0700 Subject: [PATCH 1/4] Add Jenkinsfile --- Jenkinsfile | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Jenkinsfile diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..d01ebe9 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,33 @@ +pipeline { + agent none + stages { + stage('Maven Compile') { + agent { + label 'maven' + } + steps { + sh 'mvn compile' + } + } + stage('Build Docker Image'){ + agent { + docker { + image 'docker:dind' + args '-u root -v /var/run/docker.sock:/var/run/docker.sock' + } + } + steps { + sh 'docker build -t vulnerable-java-application:0.1 .' + } + } + stage('Run Docker Image'){ + agent { + label 'built-in' + } + steps { + sh 'docker rm --force vulnerable-java-application' + sh 'docker run --name vulnerable-java-application -p 9000:9000 -d vulnerable-java-application:0.1' + } + } + } +} \ No newline at end of file From a7c0c8c717de514fa0890596ae769a8912c1a509 Mon Sep 17 00:00:00 2001 From: learningandgo Date: Wed, 17 Jan 2024 11:55:33 +0700 Subject: [PATCH 2/4] Add testjenkins.txt --- Testjenkins.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 Testjenkins.txt diff --git a/Testjenkins.txt b/Testjenkins.txt new file mode 100644 index 0000000..bf21a85 --- /dev/null +++ b/Testjenkins.txt @@ -0,0 +1 @@ +Testjenkins \ No newline at end of file From 37f52b2413e9d083d1cf15a8ed5294d6967a61c4 Mon Sep 17 00:00:00 2001 From: learningandgo Date: Wed, 17 Jan 2024 13:52:35 +0700 Subject: [PATCH 3/4] OWASP Dependency check integration --- Jenkinsfile | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index d01ebe9..5f7398f 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,10 +6,37 @@ pipeline { label 'maven' } steps { - sh 'mvn compile' + sh 'mvn compile' } } - stage('Build Docker Image'){ + stage('Secret Scanning'){ + agent { + docker { + image 'trufflesecurity/trufflehog:latest' + args '-v /var/run/docker.sock:/var/run/docker.sock --entrypoint=' + } + } + steps { + sh 'trufflehog --no-update filesystem . --json > trufflehogscan.json' + sh 'cat trufflehogscan.json' + archiveArtifacts artifacts: 'trufflehogscan.json' + } + } + stage('SCA') { + agent { + docker { + image 'owasp/dependency-check:latest' + args '-v /var/run/docker.sock:/var/run/docker.sock --entrypoint=' + } + } + steps { + sh '/usr/share/dependency-check/bin/dependency-check.sh --scan . --project "VulnerableJavaWebApplication" --format ALL' + archiveArtifacts artifacts: 'dependency-check-report.html' + archiveArtifacts artifacts: 'dependency-check-report.json' + archiveArtifacts artifacts: 'dependency-check-report.xml' + } + } + stage('Build Docker Image'){ agent { docker { image 'docker:dind' @@ -17,7 +44,7 @@ pipeline { } } steps { - sh 'docker build -t vulnerable-java-application:0.1 .' + sh 'docker build -t vulnerable-java-application:0.1 .' } } stage('Run Docker Image'){ From 5305bde1817197ae6ab81c3570993665dc11b79a Mon Sep 17 00:00:00 2001 From: learningandgo Date: Thu, 18 Jan 2024 08:08:34 +0700 Subject: [PATCH 4/4] owasp zap dast integration --- Jenkinsfile | 17 + zap.yaml | 33 + zapfull.html | 5083 ++++++++++++++++++++++++++++++++++++++++++++++++ zapreport.html | 2780 ++++++++++++++++++++++++++ 4 files changed, 7913 insertions(+) create mode 100644 zap.yaml create mode 100644 zapfull.html create mode 100644 zapreport.html diff --git a/Jenkinsfile b/Jenkinsfile index 5f7398f..c4aa397 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -56,5 +56,22 @@ pipeline { sh 'docker run --name vulnerable-java-application -p 9000:9000 -d vulnerable-java-application:0.1' } } + stage('DAST'){ + agent { + docker { + image 'owasp/zap2docker-stable:latest' + args '-v /var/run/docker.sock:/var/run/docker.sock --entrypoint= -v .:/zap/wrk/:rw' + } + } + steps { + catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { + sh 'zap-full-scan.py -t https://172.18.0.3:9000 -r zapfull.html -x zapfull.xml' + } + sh 'cp /zap/wrk/zapfull.html ./zapfull.html' + sh 'cp /zap/wrk/zapfull.xml ./zapfull.xml' + archiveArtifacts artifacts: 'zapfull.html' + archiveArtifacts artifacts: 'zapfull.xml' + } + } } } \ No newline at end of file diff --git a/zap.yaml b/zap.yaml new file mode 100644 index 0000000..e064746 --- /dev/null +++ b/zap.yaml @@ -0,0 +1,33 @@ +env: + contexts: + - excludePaths: [] + name: baseline + urls: + - https://localhost:9000 + parameters: + failOnError: true + progressToStdout: false +jobs: +- parameters: + enableTags: false + maxAlertsPerRule: 10 + type: passiveScan-config +- parameters: + maxDuration: 1 + url: https://localhost:9000 + type: spider +- parameters: + maxDuration: 0 + type: passiveScan-wait +- parameters: + format: Long + summaryFile: /home/zap/zap_out.json + rules: [] + type: outputSummary +- parameters: + reportDescription: '' + reportDir: /zap/wrk/ + reportFile: zapreport.html + reportTitle: ZAP Scanning Report + template: traditional-html + type: report diff --git a/zapfull.html b/zapfull.html new file mode 100644 index 0000000..d3d0a0e --- /dev/null +++ b/zapfull.html @@ -0,0 +1,5083 @@ + + + + +ZAP Scanning Report + + + +

+ + + ZAP Scanning Report +

+

+ + +

+ + Site: https://localhost:9000 + +

+ +

+ Generated on Thu, 18 Jan 2024 00:46:45 +

+ +

+ ZAP Version: 2.14.0 +

+ + +

Summary of Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Risk LevelNumber of Alerts
+
High
+ 		+
2
+
+
Medium
+ 		+
7
+
+
Low
+ 		+
6
+
+
Informational
+ 		+
7
+
+
False Positives:
+ 		+
0
+
+
+ + + +

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
Cross Site Scripting (DOM Based)High2
Cross Site Scripting (Reflected)High1
Absence of Anti-CSRF TokensMedium3
Anti-CSRF Tokens CheckMedium3
Content Security Policy (CSP) Header Not SetMedium3
Hidden File FoundMedium3
Insecure HTTP Method - DELETEMedium3
Missing Anti-clickjacking HeaderMedium3
Vulnerable JS LibraryMedium2
Cookie Slack DetectorLow12
Cookie without SameSite AttributeLow2
Dangerous JS FunctionsLow1
Permissions Policy Header Not SetLow5
Strict-Transport-Security Header Not SetLow9
X-Content-Type-Options Header MissingLow7
GET for POSTInformational1
Information Disclosure - Suspicious CommentsInformational2
Loosely Scoped CookieInformational2
Re-examine Cache-control DirectivesInformational3
Session Management Response IdentifiedInformational3
Storable and Cacheable ContentInformational9
User Agent FuzzerInformational24
+
+ + + +

Alert Detail

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
High
Cross Site Scripting (DOM Based)
Description +
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
+
+ +
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
+
+ +
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
+
+ +
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
+
+ +
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
+ +
URLhttps://localhost:9000#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e
MethodGET
Parameter
Attack#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e
Evidence
Other InfoTag name: button Att name: Att id:
URLhttps://localhost:9000/#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e
MethodGET
Parameter
Attack#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e
Evidence
Other InfoTag name: button Att name: Att id:
Instances2
Solution +
Phase: Architecture and Design
+
+ +
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+
+ +
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
+
+ +
Phases: Implementation; Architecture and Design
+
+ +
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
+
+ +
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
+
+ +
Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.
+
+ +
Phase: Architecture and Design
+
+ +
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
+
+ +
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
+
+ +
Phase: Implementation
+
+ +
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.
+
+ +
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
+
+ +
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use an allow list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a deny list). However, deny lists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
+
+ +
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
+
+ +
Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
+
+ +
+ +
Reference + https://owasp.org/www-community/attacks/xss/ +
+ + https://cwe.mitre.org/data/definitions/79.html + +
CWE Id79
WASC Id8
Plugin Id40026
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
High
Cross Site Scripting (Reflected)
Description +
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
+
+ +
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
+
+ +
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
+
+ +
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
+
+ +
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
+ +
URLhttps://localhost:9000/search
MethodPOST
Parameterkeyword
Attack<img src=x onerror=prompt()>
Evidence<img src=x onerror=prompt()>
Other Info
Instances1
Solution +
Phase: Architecture and Design
+
+ +
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+
+ +
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
+
+ +
Phases: Implementation; Architecture and Design
+
+ +
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
+
+ +
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
+
+ +
Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.
+
+ +
Phase: Architecture and Design
+
+ +
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
+
+ +
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
+
+ +
Phase: Implementation
+
+ +
For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.
+
+ +
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
+
+ +
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use an allow list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a deny list). However, deny lists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
+
+ +
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
+
+ +
Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
+
+ +
+ +
Reference + https://owasp.org/www-community/attacks/xss/ +
+ + https://cwe.mitre.org/data/definitions/79.html + +
CWE Id79
WASC Id8
Plugin Id40012
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Absence of Anti-CSRF Tokens
Description +
No Anti-CSRF tokens were found in a HTML submission form.
+
+ +
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.
+
+ +
CSRF attacks are effective in a number of situations, including:
+
+ +
* The victim has an active session on the target site.
+
+ +
* The victim is authenticated via HTTP auth on the target site.
+
+ +
* The victim is on the same local network as the target site.
+
+ +
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
Instances3
Solution +
Phase: Architecture and Design
+
+ +
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+
+ +
For example, use anti-CSRF packages such as the OWASP CSRFGuard.
+
+ +
Phase: Implementation
+
+ +
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
+
+ +
Phase: Architecture and Design
+
+ +
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Use the ESAPI Session Management control.
+
+ +
This control includes a component for CSRF.
+
+ +
Do not use the GET method for any request that triggers a state change.
+
+ +
Phase: Implementation
+
+ +
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html +
+ + https://cwe.mitre.org/data/definitions/352.html + +
CWE Id352
WASC Id9
Plugin Id10202
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Anti-CSRF Tokens Check
Description +
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.
+
+ +
CSRF attacks are effective in a number of situations, including:
+
+ +
* The victim has an active session on the target site.
+
+ +
* The victim is authenticated via HTTP auth on the target site.
+
+ +
* The victim is on the same local network as the target site.
+
+ +
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other Info
Instances3
Solution +
Phase: Architecture and Design
+
+ +
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+
+ +
For example, use anti-CSRF packages such as the OWASP CSRFGuard.
+
+ +
Phase: Implementation
+
+ +
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
+
+ +
Phase: Architecture and Design
+
+ +
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Use the ESAPI Session Management control.
+
+ +
This control includes a component for CSRF.
+
+ +
Do not use the GET method for any request that triggers a state change.
+
+ +
Phase: Implementation
+
+ +
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html +
+ + https://cwe.mitre.org/data/definitions/352.html + +
CWE Id352
WASC Id9
Plugin Id20012
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Content Security Policy (CSP) Header Not Set
Description +
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances3
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy +
+ + https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html +
+ + https://www.w3.org/TR/CSP/ +
+ + https://w3c.github.io/webappsec-csp/ +
+ + https://web.dev/articles/csp +
+ + https://caniuse.com/#feat=contentsecuritypolicy +
+ + https://content-security-policy.com/ + +
CWE Id693
WASC Id15
Plugin Id10038
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Hidden File Found
Description +
A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.
+ +
URLhttps://localhost:9000/._darcs
MethodGET
Parameter
Attack
EvidenceHTTP/1.1 200
Other Info
URLhttps://localhost:9000/.bzr
MethodGET
Parameter
Attack
EvidenceHTTP/1.1 200
Other Info
URLhttps://localhost:9000/.hg
MethodGET
Parameter
Attack
EvidenceHTTP/1.1 200
Other Info
Instances3
Solution +
Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.
+ +
Reference + https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html + +
CWE Id538
WASC Id13
Plugin Id40035
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Insecure HTTP Method - DELETE
Description +
The insecure HTTP method [DELETE] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.
+ +
URLhttps://localhost:9000
MethodOPTIONS
Parameter
Attack
EvidenceDELETE
Other InfoThe OPTIONS method disclosed the following enabled HTTP methods for this resource: [GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS]
URLhttps://localhost:9000/
MethodOPTIONS
Parameter
Attack
EvidenceDELETE
Other InfoThe OPTIONS method disclosed the following enabled HTTP methods for this resource: [GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS]
URLhttps://localhost:9000/search
MethodOPTIONS
Parameter
Attack
EvidenceDELETE
Other InfoThe OPTIONS method disclosed the following enabled HTTP methods for this resource: [GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS]
Instances3
Solution +
Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.
+ +
Reference + https://cwe.mitre.org/data/definitions/205.html + +
CWE Id200
WASC Id45
Plugin Id90028
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Missing Anti-clickjacking Header
Description +
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
+ +
URLhttps://localhost:9000
MethodGET
Parameterx-frame-options
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameterx-frame-options
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameterx-frame-options
Attack
Evidence
Other Info
Instances3
Solution +
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+
+ +
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + +
CWE Id1021
WASC Id15
Plugin Id10020
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Vulnerable JS Library
Description +
The identified library jquery, version 3.1.0 is vulnerable.
+ +
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence* Bootstrap v3.3.7
Other InfoCVE-2018-14041 +CVE-2019-8331 +CVE-2018-20677 +CVE-2018-20676 +CVE-2018-14042 +CVE-2016-10735 +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence/*! jQuery v3.1.0
Other InfoCVE-2020-11023 +CVE-2020-11022 +CVE-2019-11358 +
Instances2
Solution +
Please upgrade to the latest version of jquery.
+ +
Reference + https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ +
+ + https://nvd.nist.gov/vuln/detail/CVE-2019-11358 +
+ + https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +
+ + https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ + +
CWE Id829
WASC Id
Plugin Id10003
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cookie Slack Detector
Description +
Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/css
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/js
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other InfoNOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] +Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. +These cookies affected the response: +These cookies did NOT affect the response: JSESSIONID +
Instances12
Solution
Reference + https://cwe.mitre.org/data/definitions/205.html + +
CWE Id200
WASC Id45
Plugin Id90027
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cookie without SameSite Attribute
Description +
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
+ +
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
EvidenceSet-Cookie: JSESSIONID
Other Info
URLhttps://localhost:9000/
MethodGET
ParameterJSESSIONID
Attack
EvidenceSet-Cookie: JSESSIONID
Other Info
Instances2
Solution +
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
+ +
Reference + https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site + +
CWE Id1275
WASC Id13
Plugin Id10054
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Dangerous JS Functions
Description +
A dangerous JS function seems to be in use that would leave the site vulnerable.
+ +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
EvidenceEval
Other Info
Instances1
Solution +
See the references for security advice on the use of these functions.
+ +
Reference + https://angular.io/guide/security + +
CWE Id749
WASC Id
Plugin Id10110
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Permissions Policy Header Not Set
Description +
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances5
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy +
+ + https://developer.chrome.com/blog/feature-policy/ +
+ + https://scotthelme.co.uk/a-new-security-header-feature-policy/ +
+ + https://w3c.github.io/webappsec-feature-policy/ +
+ + https://www.smashingmagazine.com/2018/12/feature-policy/ + +
CWE Id693
WASC Id15
Plugin Id10063
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Strict-Transport-Security Header Not Set
Description +
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances9
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html +
+ + https://owasp.org/www-community/Security_Headers +
+ + https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +
+ + https://caniuse.com/stricttransportsecurity +
+ + https://datatracker.ietf.org/doc/html/rfc6797 + +
CWE Id319
WASC Id15
Plugin Id10035
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
X-Content-Type-Options Header Missing
Description +
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
+ +
URLhttps://localhost:9000
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/search
MethodPOST
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
Instances7
Solution +
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
+
+ +
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
+ +
Reference + https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85) +
+ + https://owasp.org/www-community/Security_Headers + +
CWE Id693
WASC Id15
Plugin Id10021
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
GET for POST
Description +
A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.
+ +
URLhttps://localhost:9000/search
MethodGET
Parameter
Attack
EvidenceGET https://localhost:9000/search?keyword=ZAP HTTP/1.1
Other Info
Instances1
Solution +
Ensure that only POST is accepted where POST is expected.
+ +
Reference
CWE Id16
WASC Id20
Plugin Id10058
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Information Disclosure - Suspicious Comments
Description +
The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.
+ +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidencedb
Other InfoThe following pattern was used: \bDB\b and was detected 2 times, the first in the element starting with: "r.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(r(a),c)})),b))for(;h<i;h++)b(a[h],c,g?d:", see evidence field for the suspicious comment/snippet.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidenceselect
Other InfoThe following pattern was used: \bSELECT\b and was detected in the element starting with: "!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(", see evidence field for the suspicious comment/snippet.
Instances2
Solution +
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
+ +
Reference
CWE Id200
WASC Id13
Plugin Id10027
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Loosely Scoped Cookie
Description +
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoThe origin domain used for comparison was: +localhost +JSESSIONID=430FE419D3F8EC6CCAED1559F00CA5E7 +
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other InfoThe origin domain used for comparison was: +localhost +JSESSIONID=8DCB28A0BD2D09A386B11F6AFC1330E9 +
Instances2
Solution +
Always scope cookies to a FQDN (Fully Qualified Domain Name).
+ +
Reference + https://tools.ietf.org/html/rfc6265#section-4.1 +
+ + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html +
+ + https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies + +
CWE Id565
WASC Id15
Plugin Id90033
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Re-examine Cache-control Directives
Description +
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
+ +
URLhttps://localhost:9000
MethodGET
Parametercache-control
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parametercache-control
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parametercache-control
Attack
Evidence
Other Info
Instances3
Solution +
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching +
+ + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +
+ + https://grayduck.mn/2021/09/13/cache-control-recommendations/ + +
CWE Id525
WASC Id13
Plugin Id10015
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Session Management Response Identified
Description +
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
+ +
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
Evidence430FE419D3F8EC6CCAED1559F00CA5E7
Other Info +cookie:JSESSIONID
URLhttps://localhost:9000/
MethodGET
ParameterJSESSIONID
Attack
Evidence8DCB28A0BD2D09A386B11F6AFC1330E9
Other Info +cookie:JSESSIONID
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
Evidence430FE419D3F8EC6CCAED1559F00CA5E7
Other Info +cookie:JSESSIONID
Instances3
Solution +
This is an informational alert rather than a vulnerability and so there is nothing to fix.
+ +
Reference + https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id + +
CWE Id
WASC Id
Plugin Id10112
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Storable and Cacheable Content
Description +
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
Instances9
Solution +
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:
+
+ +
Cache-Control: no-cache, no-store, must-revalidate, private
+
+ +
Pragma: no-cache
+
+ +
Expires: 0
+
+ +
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
+ +
Reference + https://datatracker.ietf.org/doc/html/rfc7234 +
+ + https://datatracker.ietf.org/doc/html/rfc7231 +
+ + https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html + +
CWE Id524
WASC Id13
Plugin Id10049
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
User Agent Fuzzer
Description +
Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
+ +
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
ParameterHeader User-Agent
Attackmsnbot/1.1 (+http://search.msn.com/msnbot.htm)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
AttackMozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
ParameterHeader User-Agent
Attackmsnbot/1.1 (+http://search.msn.com/msnbot.htm)
Evidence
Other Info
Instances24
Solution
Reference + https://owasp.org/wstg + +
CWE Id
WASC Id
Plugin Id10104
+
+ + + + + diff --git a/zapreport.html b/zapreport.html new file mode 100644 index 0000000..0cec051 --- /dev/null +++ b/zapreport.html @@ -0,0 +1,2780 @@ + + + + +ZAP Scanning Report + + + +

+ + + ZAP Scanning Report +

+

+ + +

+ + Site: https://localhost:9000 + +

+ +

+ Generated on Thu, 18 Jan 2024 00:26:56 +

+ +

+ ZAP Version: 2.14.0 +

+ + +

Summary of Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Risk LevelNumber of Alerts
+
High
+ 		+
0
+
+
Medium
+ 		+
4
+
+
Low
+ 		+
5
+
+
Informational
+ 		+
5
+
+
False Positives:
+ 		+
0
+
+
+ + + +

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
Absence of Anti-CSRF TokensMedium3
Content Security Policy (CSP) Header Not SetMedium3
Missing Anti-clickjacking HeaderMedium3
Vulnerable JS LibraryMedium2
Cookie without SameSite AttributeLow1
Dangerous JS FunctionsLow1
Permissions Policy Header Not SetLow5
Strict-Transport-Security Header Not SetLow9
X-Content-Type-Options Header MissingLow7
Information Disclosure - Suspicious CommentsInformational2
Loosely Scoped CookieInformational2
Re-examine Cache-control DirectivesInformational3
Session Management Response IdentifiedInformational3
Storable and Cacheable ContentInformational7
+
+ + + +

Alert Detail

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Absence of Anti-CSRF Tokens
Description +
No Anti-CSRF tokens were found in a HTML submission form.
+
+ +
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.
+
+ +
CSRF attacks are effective in a number of situations, including:
+
+ +
* The victim has an active session on the target site.
+
+ +
* The victim is authenticated via HTTP auth on the target site.
+
+ +
* The victim is on the same local network as the target site.
+
+ +
CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence<form class="navbar-form navbar-left" + action='/search' method="post">
Other InfoNo known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "keyword" ].
Instances3
Solution +
Phase: Architecture and Design
+
+ +
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+
+ +
For example, use anti-CSRF packages such as the OWASP CSRFGuard.
+
+ +
Phase: Implementation
+
+ +
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
+
+ +
Phase: Architecture and Design
+
+ +
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
+
+ +
Note that this can be bypassed using XSS.
+
+ +
Use the ESAPI Session Management control.
+
+ +
This control includes a component for CSRF.
+
+ +
Do not use the GET method for any request that triggers a state change.
+
+ +
Phase: Implementation
+
+ +
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html +
+ + https://cwe.mitre.org/data/definitions/352.html + +
CWE Id352
WASC Id9
Plugin Id10202
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Content Security Policy (CSP) Header Not Set
Description +
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances3
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy +
+ + https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html +
+ + https://www.w3.org/TR/CSP/ +
+ + https://w3c.github.io/webappsec-csp/ +
+ + https://web.dev/articles/csp +
+ + https://caniuse.com/#feat=contentsecuritypolicy +
+ + https://content-security-policy.com/ + +
CWE Id693
WASC Id15
Plugin Id10038
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Missing Anti-clickjacking Header
Description +
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
+ +
URLhttps://localhost:9000
MethodGET
Parameterx-frame-options
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameterx-frame-options
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameterx-frame-options
Attack
Evidence
Other Info
Instances3
Solution +
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+
+ +
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + +
CWE Id1021
WASC Id15
Plugin Id10020
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Vulnerable JS Library
Description +
The identified library jquery, version 3.1.0 is vulnerable.
+ +
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence* Bootstrap v3.3.7
Other InfoCVE-2018-14041 +CVE-2019-8331 +CVE-2018-20677 +CVE-2018-20676 +CVE-2018-14042 +CVE-2016-10735 +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence/*! jQuery v3.1.0
Other InfoCVE-2020-11023 +CVE-2020-11022 +CVE-2019-11358 +
Instances2
Solution +
Please upgrade to the latest version of jquery.
+ +
Reference + https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ +
+ + https://nvd.nist.gov/vuln/detail/CVE-2019-11358 +
+ + https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +
+ + https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ + +
CWE Id829
WASC Id
Plugin Id10003
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cookie without SameSite Attribute
Description +
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
+ +
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
EvidenceSet-Cookie: JSESSIONID
Other Info
Instances1
Solution +
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
+ +
Reference + https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site + +
CWE Id1275
WASC Id13
Plugin Id10054
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Dangerous JS Functions
Description +
A dangerous JS function seems to be in use that would leave the site vulnerable.
+ +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
EvidenceEval
Other Info
Instances1
Solution +
See the references for security advice on the use of these functions.
+ +
Reference + https://angular.io/guide/security + +
CWE Id749
WASC Id
Plugin Id10110
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Permissions Policy Header Not Set
Description +
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances5
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy +
+ + https://developer.chrome.com/blog/feature-policy/ +
+ + https://scotthelme.co.uk/a-new-security-header-feature-policy/ +
+ + https://w3c.github.io/webappsec-feature-policy/ +
+ + https://www.smashingmagazine.com/2018/12/feature-policy/ + +
CWE Id693
WASC Id15
Plugin Id10063
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Strict-Transport-Security Header Not Set
Description +
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parameter
Attack
Evidence
Other Info
Instances9
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html +
+ + https://owasp.org/www-community/Security_Headers +
+ + https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +
+ + https://caniuse.com/stricttransportsecurity +
+ + https://datatracker.ietf.org/doc/html/rfc6797 + +
CWE Id319
WASC Id15
Plugin Id10035
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
X-Content-Type-Options Header Missing
Description +
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
+ +
URLhttps://localhost:9000
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/css/bootstrap-theme.min.css
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttps://localhost:9000/search
MethodPOST
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
Instances7
Solution +
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
+
+ +
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
+ +
Reference + https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85) +
+ + https://owasp.org/www-community/Security_Headers + +
CWE Id693
WASC Id15
Plugin Id10021
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Information Disclosure - Suspicious Comments
Description +
The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.
+ +
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidencedb
Other InfoThe following pattern was used: \bDB\b and was detected 2 times, the first in the element starting with: "r.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(r(a),c)})),b))for(;h<i;h++)b(a[h],c,g?d:", see evidence field for the suspicious comment/snippet.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidenceselect
Other InfoThe following pattern was used: \bSELECT\b and was detected in the element starting with: "!function(a,b){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(", see evidence field for the suspicious comment/snippet.
Instances2
Solution +
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
+ +
Reference
CWE Id200
WASC Id13
Plugin Id10027
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Loosely Scoped Cookie
Description +
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoThe origin domain used for comparison was: +localhost +JSESSIONID=169E585044E278C75D4EFF176B72C20C +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoThe origin domain used for comparison was: +localhost +JSESSIONID=DFCE3B13EE92E662EC690E15A44C8E13 +
Instances2
Solution +
Always scope cookies to a FQDN (Fully Qualified Domain Name).
+ +
Reference + https://tools.ietf.org/html/rfc6265#section-4.1 +
+ + https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html +
+ + https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies + +
CWE Id565
WASC Id15
Plugin Id90033
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Re-examine Cache-control Directives
Description +
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
+ +
URLhttps://localhost:9000
MethodGET
Parametercache-control
Attack
Evidence
Other Info
URLhttps://localhost:9000/
MethodGET
Parametercache-control
Attack
Evidence
Other Info
URLhttps://localhost:9000/search
MethodPOST
Parametercache-control
Attack
Evidence
Other Info
Instances3
Solution +
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching +
+ + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +
+ + https://grayduck.mn/2021/09/13/cache-control-recommendations/ + +
CWE Id525
WASC Id13
Plugin Id10015
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Session Management Response Identified
Description +
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
+ +
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
Evidence169E585044E278C75D4EFF176B72C20C
Other Info +cookie:JSESSIONID
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
EvidenceDFCE3B13EE92E662EC690E15A44C8E13
Other Info +cookie:JSESSIONID
URLhttps://localhost:9000
MethodGET
ParameterJSESSIONID
Attack
Evidence169E585044E278C75D4EFF176B72C20C
Other Info +cookie:JSESSIONID
Instances3
Solution +
This is an informational alert rather than a vulnerability and so there is nothing to fix.
+ +
Reference + https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id + +
CWE Id
WASC Id
Plugin Id10112
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Storable and Cacheable Content
Description +
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
+ +
URLhttps://localhost:9000
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/css/bootstrap.min.css
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/js/bootstrap.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/resources/js/jquery.min.js
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URLhttps://localhost:9000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other InfoIn the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
Instances7
Solution +
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:
+
+ +
Cache-Control: no-cache, no-store, must-revalidate, private
+
+ +
Pragma: no-cache
+
+ +
Expires: 0
+
+ +
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
+ +
Reference + https://datatracker.ietf.org/doc/html/rfc7234 +
+ + https://datatracker.ietf.org/doc/html/rfc7231 +
+ + https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html + +
CWE Id524
WASC Id13
Plugin Id10049
+
+ + + + +