# Resumen completo de pruebas de seguridad

**Fecha:** 2026-06-03 15:06:02

**Proyecto:** `/Users/oq/Developer/multi-php-docker/php-prod/sasis`

## Alcance

- SAST: Semgrep con reglas PHP y security-audit.
- SCA: Composer audit, npm audit si existe package-lock, y Trivy FS.
- DAST: OWASP ZAP baseline contra servidor PHP dockerizado cuando el proyecto puede exponerse localmente.

## Archivos de evidencia

- `00-inventario.md`
- `01-docker.md`
- `02-sast-semgrep.md`
- `03-sca-composer-audit-mgmt.md`
- `04-sca-composer-audit-api.md`
- `05-sca-npm-audit-mgmt.md`
- `06-sca-trivy-fs.md`
- `07-dast-zap-baseline.md`
- `08-resumen-completo.md`
- `09-sugerencias-mitigacion-criticas.md`

## Hallazgos principales detectados automáticamente

### SAST

Warning: 1 timeout error(s) in /src/api/lib/flatpickr.js when running the following rules:
Warning: 1 timeout error(s) in /src/api/lib/moment.js when running the following rules:
Warning: 4 timeout error(s) in /src/mgmt/fullcalendar/index.global.js when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/js/chart.umd.js when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/js/cropper.js when running the following rules:
Warning: 5 timeout error(s) in /src/mgmt/js/ew.js when running the following rules:
Warning: 3 timeout error(s) in /src/mgmt/js/tabulator.js when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/models/ActivoFijo.php when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/models/PersonalSaludList.php when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/models/SucursalesNivelesList.php when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/models/VEcPacientesPaquetesPartidas.php when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/models/VPoblacionList.php when running the following rules:
Warning: 1 timeout error(s) in /src/mgmt/swagger/swagger-ui-es-bundle-core.js when running the following rules:
│ 93 Code Findings │
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
          ❰❰ Blocking ❱❱
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request
          ❰❰ Blocking ❱❱
   ❯❯❱ php.lang.security.injection.echoed-request.echoed-request


### SCA / dependencias

/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/03-sca-composer-audit-mgmt.md:CVE: CVE-2025-45769
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/04-sca-composer-audit-api.md:CVE: CVE-2025-45769
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:│ firebase/php-jwt │ CVE-2025-45769 │ LOW      │ fixed  │ v6.11.1           │ 7.0.0         │ php-jwt contains weak encryption           │
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:│ firebase/php-jwt │ CVE-2025-45769 │ LOW      │ fixed  │ v6.11.1           │ 7.0.0         │ php-jwt contains weak encryption           │
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:│ setasign/fpdi │ CVE-2025-54869 │ MEDIUM   │ fixed  │ v2.3.6            │ 2.6.4         │ FPDI is a collection of PHP classes that facilitate reading │
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/06-sca-trivy-fs.md:│               │ CVE-2026-45802 │          │        │                   │ 2.6.7         │ FPDI: Memory Exhaustion and Endless Loop in FPDI leads to   │


### DAST

X-Powered-By: PHP/8.2.31
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Off-site Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: HTTP Server Response Header [10036]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Source Code Disclosure [10099]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Dangerous JS Functions [10110]
PASS: Authentication Request Identified [10111]
PASS: Session Management Response Identified [10112]
PASS: Verification Request Identified [10113]
PASS: Script Served From Malicious Domain (polyfill) [10115]
PASS: ZAP is Out of Date [10116]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Sub Resource Integrity Attribute Missing [90003]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Missing Anti-clickjacking Header [10020] x 1 
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 1 
WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 1 
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 2 
WARN-NEW: Storable and Cacheable Content [10049] x 3 
WARN-NEW: Permissions Policy Header Not Set [10063] x 3 
WARN-NEW: Cross-Origin-Embedder-Policy Header Missing or Invalid [90004] x 3 
FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 7	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 60


## Recomendaciones prioritarias

1. Actualizar dependencias Composer con CVE críticas/altas, especialmente `firebase/php-jwt`, `phpoffice/phpspreadsheet`, `symfony/mime` y paquetes marcados por Composer/Trivy.
2. Revisar los hallazgos SAST de salida directa de datos y aplicar codificación contextual (`htmlentities`, JSON seguro y headers correctos) según el tipo de respuesta.
3. Agregar headers HTTP de seguridad: `Content-Security-Policy`, `X-Content-Type-Options`, `X-Frame-Options` o `frame-ancestors`, `Permissions-Policy` y ocultar `X-Powered-By`.
4. Repetir DAST contra el ambiente real autenticado/staging; esta corrida usa servidor PHP embebido y no reemplaza una prueba funcional completa.
5. Revisar paquetes abandonados reportados por Composer y definir reemplazo o mitigación.

## Comando para repetir

```bash
/Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/run_security_tests.sh "/Users/oq/Developer/multi-php-docker/php-prod/sasis"
```
