# OWASP ZAP baseline

**Fecha:** 2026-06-04 15:45:24

**Proyecto:** `/Users/oq/Developer/multi-php-docker/php-prod/sasis`

**Target autorizado:** `http://localhost:8888/sasis/mgmt`

**Target desde Docker:** `http://host.docker.internal:8888/sasis/mgmt`

**Descripción:** DAST no autenticado y no destructivo contra el target autorizado.

## Comando

```bash
docker run --rm -v /Users/oq/Developer/multi-php-docker/php-prod/sasis/pruebas/security/pentest/raw:/zap/wrk:rw ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://host.docker.internal:8888/sasis/mgmt -I -m 5 -r zap-baseline.html 
```

## Salida

**Estado:** `0`

```text
Using the Automation Framework
Total of 35 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: Cookie Without Secure Flag [10011]
PASS: Re-examine Cache-control Directives [10015]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Off-site Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: Strict-Transport-Security Header [10035]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Source Code Disclosure [10099]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Dangerous JS Functions [10110]
PASS: Verification Request Identified [10113]
PASS: Script Served From Malicious Domain (polyfill) [10115]
PASS: ZAP is Out of Date [10116]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: In Page Banner Information Leak [10009] x 5 
	http://host.docker.internal:8888/ (403 Forbidden)
	http://host.docker.internal:8888/if (404 Not Found)
	http://host.docker.internal:8888/robots.txt (404 Not Found)
	http://host.docker.internal:8888/sasis/ (403 Forbidden)
	http://host.docker.internal:8888/sitemap.xml (404 Not Found)
WARN-NEW: Cookie No HttpOnly Flag [10010] x 2 
	http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D (404 Not Found)
	http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D (404 Not Found)
WARN-NEW: Missing Anti-clickjacking Header [10020] x 3 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 5 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css?v=24.16.8 (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css?v=24.16.8 (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css?v=24.16.8 (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css?v=24.16.8 (200 OK)
WARN-NEW: Information Disclosure - Suspicious Comments [10027] x 3 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 5 
	http://host.docker.internal:8888/ (403 Forbidden)
	http://host.docker.internal:8888/sasis (301 Moved Permanently)
	http://host.docker.internal:8888/sasis/ (403 Forbidden)
	http://host.docker.internal:8888/sasis/mgmt (301 Moved Permanently)
	http://host.docker.internal:8888/sitemap.xml (404 Not Found)
WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 5 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/ (302 Found)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D (404 Not Found)
	http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D (404 Not Found)
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 5 
	http://host.docker.internal:8888/ (403 Forbidden)
	http://host.docker.internal:8888/robots.txt (404 Not Found)
	http://host.docker.internal:8888/sasis/ (403 Forbidden)
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sitemap.xml (404 Not Found)
WARN-NEW: Big Redirect Detected (Potential Sensitive Information Leak) [10044] x 2 
	http://host.docker.internal:8888/sasis (301 Moved Permanently)
	http://host.docker.internal:8888/sasis/mgmt (301 Moved Permanently)
WARN-NEW: Non-Storable Content [10049] x 8 
	http://host.docker.internal:8888/ (403 Forbidden)
	http://host.docker.internal:8888/sasis/ (403 Forbidden)
	http://host.docker.internal:8888/sasis/mgmt/ (302 Found)
	http://host.docker.internal:8888/if (404 Not Found)
	http://host.docker.internal:8888/robots.txt (404 Not Found)
WARN-NEW: Cookie with SameSite Attribute None [10054] x 7 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/ (302 Found)
	http://host.docker.internal:8888/sasis/mgmt/index (302 Found)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: Permissions Policy Header Not Set [10063] x 5 
	http://host.docker.internal:8888/ (403 Forbidden)
	http://host.docker.internal:8888/robots.txt (404 Not Found)
	http://host.docker.internal:8888/sasis/ (403 Forbidden)
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sitemap.xml (404 Not Found)
WARN-NEW: Modern Web Application [10109] x 3 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: Authentication Request Identified [10111] x 1 
	http://host.docker.internal:8888/sasis/mgmt/login (400 Bad Request)
WARN-NEW: Session Management Response Identified [10112] x 7 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/ (302 Found)
	http://host.docker.internal:8888/sasis/mgmt/index (302 Found)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: Sub Resource Integrity Attribute Missing [90003] x 3 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP (200 OK)
WARN-NEW: Cross-Origin-Embedder-Policy Header Missing or Invalid [90004] x 9 
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
	http://host.docker.internal:8888/sasis/mgmt/login (200 OK)
	http://host.docker.internal:8888/sasis/mgmt (200 OK)
FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 17	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 50
Automation plan warnings:
	Job spider error accessing URL http://host.docker.internal:8888/ status code returned : 403 expected 200
```
