| Risk Level | Number of Alerts |
|---|---|
|
High
|
0
|
|
Medium
|
3
|
|
Low
|
12
|
|
Informational
|
6
|
|
False Positives:
|
0
|
| Level | Reason | Site | Description | Statistic |
|---|---|---|---|---|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of responses with status code 2xx
|
48 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of responses with status code 3xx
|
14 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of responses with status code 4xx
|
37 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with content type application/json
|
12 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with content type image/png
|
8 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with content type text/css
|
24 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with content type text/html
|
48 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with content type text/javascript
|
8 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with method GET
|
96 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of endpoints with method POST
|
4 %
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Count of total endpoints
|
25
|
|
Info
|
Informational
|
http://host.docker.internal:8888
|
Percentage of slow responses
|
25 %
|
For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
|
Medium |
Content Security Policy (CSP) Header Not Set |
|---|---|
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | http://host.docker.internal:8888/ |
| Node Name | http://host.docker.internal:8888/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/robots.txt |
| Node Name | http://host.docker.internal:8888/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/ |
| Node Name | http://host.docker.internal:8888/sasis/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sitemap.xml |
| Node Name | http://host.docker.internal:8888/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | Systemic |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://www.w3.org/TR/CSP/ https://w3c.github.io/webappsec-csp/ https://web.dev/articles/csp https://caniuse.com/#feat=contentsecuritypolicy https://content-security-policy.com/ |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10038 |
|
Medium |
Missing Anti-clickjacking Header |
|---|---|
| Description |
The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | x-frame-options |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options |
| CWE Id | 1021 |
| WASC Id | 15 |
| Plugin Id | 10020 |
|
Medium |
Sub Resource Integrity Attribute Missing |
|---|---|
| Description |
The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet"> |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet"> |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet"> |
| Other Info | |
| Instances | 3 |
| Solution |
Provide a valid integrity attribute to the tag.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity |
| CWE Id | 345 |
| WASC Id | 15 |
| Plugin Id | 90003 |
|
Low |
Big Redirect Detected (Potential Sensitive Information Leak) |
|---|---|
| Description |
The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.).
|
| URL | http://host.docker.internal:8888/sasis |
| Node Name | http://host.docker.internal:8888/sasis |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
Location header URI length: 39 [http://host.docker.internal:8888/sasis/].
Predicted response size: 339.
Response Body Length: 375.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
Location header URI length: 44 [http://host.docker.internal:8888/sasis/mgmt/].
Predicted response size: 344.
Response Body Length: 380.
|
| Instances | 2 |
| Solution |
Ensure that no sensitive information is leaked via redirect responses. Redirect responses should have almost no content.
|
| Reference | |
| CWE Id | 201 |
| WASC Id | 13 |
| Plugin Id | 10044 |
|
Low |
Cookie No HttpOnly Flag |
|---|---|
| Description |
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>url}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| Instances | 2 |
| Solution |
Ensure that the HttpOnly flag is set for all cookies.
|
| Reference | https://owasp.org/www-community/HttpOnly |
| CWE Id | 1004 |
| WASC Id | 13 |
| Plugin Id | 10010 |
|
Low |
Cookie with SameSite Attribute None |
|---|---|
| Description |
A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/ |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/ |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/index |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/index |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| Instances | 5 |
| Solution |
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
|
| Reference | https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site |
| CWE Id | 1275 |
| WASC Id | 13 |
| Plugin Id | 10054 |
|
Low |
Cookie without SameSite Attribute |
|---|---|
| Description |
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>url}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | Set-Cookie: PHPSESSID |
| Other Info | |
| Instances | 2 |
| Solution |
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
|
| Reference | https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site |
| CWE Id | 1275 |
| WASC Id | 13 |
| Plugin Id | 10054 |
|
Low |
Cross-Origin-Embedder-Policy Header Missing or Invalid |
|---|---|
| Description |
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | Cross-Origin-Embedder-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | Cross-Origin-Embedder-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 2 |
| Solution |
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy |
| CWE Id | 693 |
| WASC Id | 14 |
| Plugin Id | 90004 |
|
Low |
Cross-Origin-Opener-Policy Header Missing or Invalid |
|---|---|
| Description |
Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | Cross-Origin-Opener-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | Cross-Origin-Opener-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 2 |
| Solution |
Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.
'same-origin-allow-popups' is considered as less secured and should be avoided.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy |
| CWE Id | 693 |
| WASC Id | 14 |
| Plugin Id | 90004 |
|
Low |
Cross-Origin-Resource-Policy Header Missing or Invalid |
|---|---|
| Description |
Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | Cross-Origin-Resource-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css (v) |
| Method | GET |
| Parameter | Cross-Origin-Resource-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css (v) |
| Method | GET |
| Parameter | Cross-Origin-Resource-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css (v) |
| Method | GET |
| Parameter | Cross-Origin-Resource-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css (v) |
| Method | GET |
| Parameter | Cross-Origin-Resource-Policy |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | Systemic |
| Solution |
Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.
'same-site' is considered as less secured and should be avoided.
If resources must be shared, set the header to 'cross-origin'.
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy |
| CWE Id | 693 |
| WASC Id | 14 |
| Plugin Id | 90004 |
|
Low |
In Page Banner Information Leak |
|---|---|
| Description |
The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.
|
| URL | http://host.docker.internal:8888/ |
| Node Name | http://host.docker.internal:8888/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 |
| Other Info |
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
|
| URL | http://host.docker.internal:8888/if |
| Node Name | http://host.docker.internal:8888/if |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 |
| Other Info |
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
|
| URL | http://host.docker.internal:8888/robots.txt |
| Node Name | http://host.docker.internal:8888/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 |
| Other Info |
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
|
| URL | http://host.docker.internal:8888/sasis/ |
| Node Name | http://host.docker.internal:8888/sasis/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 |
| Other Info |
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
|
| URL | http://host.docker.internal:8888/sitemap.xml |
| Node Name | http://host.docker.internal:8888/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 |
| Other Info |
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
|
| Instances | Systemic |
| Solution |
Configure the server to prevent such information leaks. For example:
Under Tomcat this is done via the "server" directive and implementation of custom error pages.
Under Apache this is done via the "ServerSignature" and "ServerTokens" directives.
|
| Reference | https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/ |
| CWE Id | 497 |
| WASC Id | 13 |
| Plugin Id | 10009 |
|
Low |
Permissions Policy Header Not Set |
|---|---|
| Description |
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
|
| URL | http://host.docker.internal:8888/ |
| Node Name | http://host.docker.internal:8888/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/robots.txt |
| Node Name | http://host.docker.internal:8888/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/ |
| Node Name | http://host.docker.internal:8888/sasis/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | http://host.docker.internal:8888/sitemap.xml |
| Node Name | http://host.docker.internal:8888/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | Systemic |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
https://developer.chrome.com/blog/feature-policy/ https://scotthelme.co.uk/a-new-security-header-feature-policy/ https://w3c.github.io/webappsec-feature-policy/ https://www.smashingmagazine.com/2018/12/feature-policy/ |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10063 |
|
Low |
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) |
|---|---|
| Description |
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | X-Powered-By: PHP/8.2.30 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/ |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | X-Powered-By: PHP/8.2.30 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | X-Powered-By: PHP/8.2.30 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}} |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | X-Powered-By: PHP/8.2.30 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>url}} |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | X-Powered-By: PHP/8.2.30 |
| Other Info | |
| Instances | Systemic |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
|
| Reference |
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
https://www.troyhunt.com/shhh-dont-let-your-response-headers/ |
| CWE Id | 497 |
| WASC Id | 13 |
| Plugin Id | 10037 |
|
Low |
Server Leaks Version Information via "Server" HTTP Response Header Field |
|---|---|
| Description |
The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.
|
| URL | http://host.docker.internal:8888/ |
| Node Name | http://host.docker.internal:8888/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 (Debian) |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis |
| Node Name | http://host.docker.internal:8888/sasis |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 (Debian) |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/ |
| Node Name | http://host.docker.internal:8888/sasis/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 (Debian) |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 (Debian) |
| Other Info | |
| URL | http://host.docker.internal:8888/sitemap.xml |
| Node Name | http://host.docker.internal:8888/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | Apache/2.4.66 (Debian) |
| Other Info | |
| Instances | Systemic |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
|
| Reference |
https://httpd.apache.org/docs/current/mod/core.html#servertokens
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10) https://www.troyhunt.com/shhh-dont-let-your-response-headers/ |
| CWE Id | 497 |
| WASC Id | 13 |
| Plugin Id | 10036 |
|
Low |
X-Content-Type-Options Header Missing |
|---|---|
| Description |
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info |
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css (v) |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info |
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css (v) |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info |
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css (v) |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info |
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css?v=24.16.8 |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css (v) |
| Method | GET |
| Parameter | x-content-type-options |
| Attack | |
| Evidence | |
| Other Info |
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
|
| Instances | Systemic |
| Solution |
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
|
| Reference |
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
https://owasp.org/www-community/Security_Headers |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10021 |
|
Informational |
Authentication Request Identified |
|---|---|
| Description |
The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to "Auto-Detect" then this rule will change the authentication to match the request identified.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login ()(csrf_name,csrf_value,g-recaptcha-response-login,password,type,username) |
| Method | POST |
| Parameter | g-recaptcha-response-login |
| Attack | |
| Evidence | password |
| Other Info |
userParam=g-recaptcha-response-login
userValue=
passwordParam=password
referer=http://host.docker.internal:8888/sasis/mgmt/login
csrfToken=csrf_name
csrfToken=csrf_value
|
| Instances | 1 |
| Solution |
This is an informational alert rather than a vulnerability and so there is nothing to fix.
|
| Reference | https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/ |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10111 |
|
Informational |
Information Disclosure - Suspicious Comments |
|---|---|
| Description |
The response appears to contain suspicious comments which may help an attacker.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <!-- Sidebar user panel --> |
| Other Info |
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <!-- Sidebar user panel --> |
| Other Info |
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <!-- Sidebar user panel --> |
| Other Info |
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
|
| Instances | 3 |
| Solution |
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
|
| Reference | |
| CWE Id | 615 |
| WASC Id | 13 |
| Plugin Id | 10027 |
|
Informational |
Modern Web Application |
|---|---|
| Description |
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a> |
| Other Info |
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a> |
| Other Info |
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a> |
| Other Info |
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
|
| Instances | 3 |
| Solution |
This is an informational alert and so no changes are required.
|
| Reference | |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10109 |
|
Informational |
Non-Storable Content |
|---|---|
| Description |
The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.
|
| URL | http://host.docker.internal:8888/ |
| Node Name | http://host.docker.internal:8888/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 403 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/ |
| Node Name | http://host.docker.internal:8888/sasis/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | 403 |
| Other Info | |
| URL | http://host.docker.internal:8888/sasis/mgmt/ |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | no-store |
| Other Info | |
| Instances | 3 |
| Solution |
The content may be marked as storable by ensuring that the following conditions are satisfied:
The request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)
The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)
The "no-store" cache directive must not appear in the request or response header fields
For caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response
For caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)
In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:
It must contain an "Expires" header field
It must contain a "max-age" response directive
For "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive
It must contain a "Cache Control Extension" that allows it to be cached
It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).
|
| Reference |
https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html |
| CWE Id | 524 |
| WASC Id | 13 |
| Plugin Id | 10049 |
|
Informational |
Session Management Response Identified |
|---|---|
| Description |
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/ |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/ |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/index |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/index |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/login (body,title) |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| URL | http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D |
| Node Name | http://host.docker.internal:8888/sasis/mgmt/{{>url}} |
| Method | GET |
| Parameter | PHPSESSID |
| Attack | |
| Evidence | PHPSESSID |
| Other Info |
cookie:PHPSESSID
|
| Instances | 7 |
| Solution |
This is an informational alert rather than a vulnerability and so there is nothing to fix.
|
| Reference | https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/ |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10112 |
|
Informational |
Storable and Cacheable Content |
|---|---|
| Description |
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
|
| URL | http://host.docker.internal:8888/if |
| Node Name | http://host.docker.internal:8888/if |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
|
| URL | http://host.docker.internal:8888/robots.txt |
| Node Name | http://host.docker.internal:8888/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
|
| URL | http://host.docker.internal:8888/sasis |
| Node Name | http://host.docker.internal:8888/sasis |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
|
| URL | http://host.docker.internal:8888/sasis/mgmt |
| Node Name | http://host.docker.internal:8888/sasis/mgmt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
|
| URL | http://host.docker.internal:8888/sitemap.xml |
| Node Name | http://host.docker.internal:8888/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info |
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
|
| Instances | Systemic |
| Solution |
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Expires: 0
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
|
| Reference |
https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html |
| CWE Id | 524 |
| WASC Id | 13 |
| Plugin Id | 10049 |