ZAP Scanning Report

Site: http://host.docker.internal:8888

Generated on Thu, 4 Jun 2026 21:46:21

ZAP Version: 2.17.0

ZAP by Checkmarx

Summary of Alerts

Risk Level Number of Alerts
High
0
Medium
3
Low
12
Informational
6
False Positives:
0

Insights

Level Reason Site Description Statistic
Info
Informational
http://host.docker.internal:8888
Percentage of responses with status code 2xx
48 %
Info
Informational
http://host.docker.internal:8888
Percentage of responses with status code 3xx
14 %
Info
Informational
http://host.docker.internal:8888
Percentage of responses with status code 4xx
37 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with content type application/json
12 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with content type image/png
8 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with content type text/css
24 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with content type text/html
48 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with content type text/javascript
8 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with method GET
96 %
Info
Informational
http://host.docker.internal:8888
Percentage of endpoints with method POST
4 %
Info
Informational
http://host.docker.internal:8888
Count of total endpoints
25
Info
Informational
http://host.docker.internal:8888
Percentage of slow responses
25 %

Summary of Sequences

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

Alerts

Name Risk Level Number of Instances
Content Security Policy (CSP) Header Not Set Medium Systemic
Missing Anti-clickjacking Header Medium 3
Sub Resource Integrity Attribute Missing Medium 3
Big Redirect Detected (Potential Sensitive Information Leak) Low 2
Cookie No HttpOnly Flag Low 2
Cookie with SameSite Attribute None Low 5
Cookie without SameSite Attribute Low 2
Cross-Origin-Embedder-Policy Header Missing or Invalid Low 2
Cross-Origin-Opener-Policy Header Missing or Invalid Low 2
Cross-Origin-Resource-Policy Header Missing or Invalid Low Systemic
In Page Banner Information Leak Low Systemic
Permissions Policy Header Not Set Low Systemic
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Low Systemic
Server Leaks Version Information via "Server" HTTP Response Header Field Low Systemic
X-Content-Type-Options Header Missing Low Systemic
Authentication Request Identified Informational 1
Information Disclosure - Suspicious Comments Informational 3
Modern Web Application Informational 3
Non-Storable Content Informational 3
Session Management Response Identified Informational 7
Storable and Cacheable Content Informational Systemic

Alert Detail

Medium
Content Security Policy (CSP) Header Not Set
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL http://host.docker.internal:8888/
Node Name http://host.docker.internal:8888/
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/robots.txt
Node Name http://host.docker.internal:8888/robots.txt
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/
Node Name http://host.docker.internal:8888/sasis/
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sitemap.xml
Node Name http://host.docker.internal:8888/sitemap.xml
Method GET
Parameter
Attack
Evidence
Other Info
Instances Systemic
Solution
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://www.w3.org/TR/CSP/
https://w3c.github.io/webappsec-csp/
https://web.dev/articles/csp
https://caniuse.com/#feat=contentsecuritypolicy
https://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038
Medium
Missing Anti-clickjacking Header
Description
The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter x-frame-options
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter x-frame-options
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter x-frame-options
Attack
Evidence
Other Info
Instances 3
Solution
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020
Medium
Sub Resource Integrity Attribute Missing
Description
The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet">
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter
Attack
Evidence <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet">
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter
Attack
Evidence <link href="https://fonts.googleapis.com/css2?family=Poppins:wght@400;600;700&display=swap" rel="stylesheet">
Other Info
Instances 3
Solution
Provide a valid integrity attribute to the tag.
Reference https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
CWE Id 345
WASC Id 15
Plugin Id 90003
Low
Big Redirect Detected (Potential Sensitive Information Leak)
Description
The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.).
URL http://host.docker.internal:8888/sasis
Node Name http://host.docker.internal:8888/sasis
Method GET
Parameter
Attack
Evidence
Other Info
Location header URI length: 39 [http://host.docker.internal:8888/sasis/].

Predicted response size: 339.

Response Body Length: 375.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence
Other Info
Location header URI length: 44 [http://host.docker.internal:8888/sasis/mgmt/].

Predicted response size: 344.

Response Body Length: 380.
Instances 2
Solution
Ensure that no sensitive information is leaked via redirect responses. Redirect responses should have almost no content.
Reference
CWE Id 201
WASC Id 13
Plugin Id 10044
Low
Cookie No HttpOnly Flag
Description
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}}
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>url}}
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
Instances 2
Solution
Ensure that the HttpOnly flag is set for all cookies.
Reference https://owasp.org/www-community/HttpOnly
CWE Id 1004
WASC Id 13
Plugin Id 10010
Low
Cookie with SameSite Attribute None
Description
A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/
Node Name http://host.docker.internal:8888/sasis/mgmt/
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/index
Node Name http://host.docker.internal:8888/sasis/mgmt/index
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
Instances 5
Solution
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site
CWE Id 1275
WASC Id 13
Plugin Id 10054
Low
Cookie without SameSite Attribute
Description
A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}}
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>url}}
Method GET
Parameter PHPSESSID
Attack
Evidence Set-Cookie: PHPSESSID
Other Info
Instances 2
Solution
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site
CWE Id 1275
WASC Id 13
Plugin Id 10054
Low
Cross-Origin-Embedder-Policy Header Missing or Invalid
Description
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter Cross-Origin-Embedder-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter Cross-Origin-Embedder-Policy
Attack
Evidence
Other Info
Instances 2
Solution
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE Id 693
WASC Id 14
Plugin Id 90004
Low
Cross-Origin-Opener-Policy Header Missing or Invalid
Description
Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter Cross-Origin-Opener-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter Cross-Origin-Opener-Policy
Attack
Evidence
Other Info
Instances 2
Solution
Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.

'same-origin-allow-popups' is considered as less secured and should be avoided.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
CWE Id 693
WASC Id 14
Plugin Id 90004
Low
Cross-Origin-Resource-Policy Header Missing or Invalid
Description
Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter Cross-Origin-Resource-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css (v)
Method GET
Parameter Cross-Origin-Resource-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css (v)
Method GET
Parameter Cross-Origin-Resource-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css (v)
Method GET
Parameter Cross-Origin-Resource-Policy
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css (v)
Method GET
Parameter Cross-Origin-Resource-Policy
Attack
Evidence
Other Info
Instances Systemic
Solution
Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.

'same-site' is considered as less secured and should be avoided.

If resources must be shared, set the header to 'cross-origin'.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE Id 693
WASC Id 14
Plugin Id 90004
Low
In Page Banner Information Leak
Description
The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.
URL http://host.docker.internal:8888/
Node Name http://host.docker.internal:8888/
Method GET
Parameter
Attack
Evidence Apache/2.4.66
Other Info
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
URL http://host.docker.internal:8888/if
Node Name http://host.docker.internal:8888/if
Method GET
Parameter
Attack
Evidence Apache/2.4.66
Other Info
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
URL http://host.docker.internal:8888/robots.txt
Node Name http://host.docker.internal:8888/robots.txt
Method GET
Parameter
Attack
Evidence Apache/2.4.66
Other Info
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
URL http://host.docker.internal:8888/sasis/
Node Name http://host.docker.internal:8888/sasis/
Method GET
Parameter
Attack
Evidence Apache/2.4.66
Other Info
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
URL http://host.docker.internal:8888/sitemap.xml
Node Name http://host.docker.internal:8888/sitemap.xml
Method GET
Parameter
Attack
Evidence Apache/2.4.66
Other Info
There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.
Instances Systemic
Solution
Configure the server to prevent such information leaks. For example:

Under Tomcat this is done via the "server" directive and implementation of custom error pages.

Under Apache this is done via the "ServerSignature" and "ServerTokens" directives.
Reference https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/
CWE Id 497
WASC Id 13
Plugin Id 10009
Low
Permissions Policy Header Not Set
Description
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
URL http://host.docker.internal:8888/
Node Name http://host.docker.internal:8888/
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/robots.txt
Node Name http://host.docker.internal:8888/robots.txt
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/
Node Name http://host.docker.internal:8888/sasis/
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence
Other Info
URL http://host.docker.internal:8888/sitemap.xml
Node Name http://host.docker.internal:8888/sitemap.xml
Method GET
Parameter
Attack
Evidence
Other Info
Instances Systemic
Solution
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
https://developer.chrome.com/blog/feature-policy/
https://scotthelme.co.uk/a-new-security-header-feature-policy/
https://w3c.github.io/webappsec-feature-policy/
https://www.smashingmagazine.com/2018/12/feature-policy/
CWE Id 693
WASC Id 15
Plugin Id 10063
Low
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Description
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/8.2.30
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/
Node Name http://host.docker.internal:8888/sasis/mgmt/
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/8.2.30
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/8.2.30
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}}
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/8.2.30
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>url}}
Method GET
Parameter
Attack
Evidence X-Powered-By: PHP/8.2.30
Other Info
Instances Systemic
Solution
Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
Reference https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
CWE Id 497
WASC Id 13
Plugin Id 10037
Low
Server Leaks Version Information via "Server" HTTP Response Header Field
Description
The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.
URL http://host.docker.internal:8888/
Node Name http://host.docker.internal:8888/
Method GET
Parameter
Attack
Evidence Apache/2.4.66 (Debian)
Other Info
URL http://host.docker.internal:8888/sasis
Node Name http://host.docker.internal:8888/sasis
Method GET
Parameter
Attack
Evidence Apache/2.4.66 (Debian)
Other Info
URL http://host.docker.internal:8888/sasis/
Node Name http://host.docker.internal:8888/sasis/
Method GET
Parameter
Attack
Evidence Apache/2.4.66 (Debian)
Other Info
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence Apache/2.4.66 (Debian)
Other Info
URL http://host.docker.internal:8888/sitemap.xml
Node Name http://host.docker.internal:8888/sitemap.xml
Method GET
Parameter
Attack
Evidence Apache/2.4.66 (Debian)
Other Info
Instances Systemic
Solution
Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
Reference https://httpd.apache.org/docs/current/mod/core.html#servertokens
https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
CWE Id 497
WASC Id 13
Plugin Id 10036
Low
X-Content-Type-Options Header Missing
Description
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter x-content-type-options
Attack
Evidence
Other Info
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scan rule will not alert on client or server error responses.
URL http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/modern-ui.css (v)
Method GET
Parameter x-content-type-options
Attack
Evidence
Other Info
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scan rule will not alert on client or server error responses.
URL http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/select2-bootstrap5.min.css (v)
Method GET
Parameter x-content-type-options
Attack
Evidence
Other Info
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scan rule will not alert on client or server error responses.
URL http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/css/select2.min.css (v)
Method GET
Parameter x-content-type-options
Attack
Evidence
Other Info
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scan rule will not alert on client or server error responses.
URL http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css?v=24.16.8
Node Name http://host.docker.internal:8888/sasis/mgmt/plugins/fontawesome-free/css/all.min.css (v)
Method GET
Parameter x-content-type-options
Attack
Evidence
Other Info
This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scan rule will not alert on client or server error responses.
Instances Systemic
Solution
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
Reference https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021
Informational
Authentication Request Identified
Description
The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to "Auto-Detect" then this rule will change the authentication to match the request identified.
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login ()(csrf_name,csrf_value,g-recaptcha-response-login,password,type,username)
Method POST
Parameter g-recaptcha-response-login
Attack
Evidence password
Other Info
userParam=g-recaptcha-response-login

userValue=

passwordParam=password

referer=http://host.docker.internal:8888/sasis/mgmt/login

csrfToken=csrf_name

csrfToken=csrf_value
Instances 1
Solution
This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/
CWE Id
WASC Id
Plugin Id 10111
Informational
Information Disclosure - Suspicious Comments
Description
The response appears to contain suspicious comments which may help an attacker.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence <!-- Sidebar user panel -->
Other Info
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter
Attack
Evidence <!-- Sidebar user panel -->
Other Info
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter
Attack
Evidence <!-- Sidebar user panel -->
Other Info
The following pattern was used: \bUSER\b and was detected in likely comment: "<!-- Sidebar user panel -->", see evidence field for the suspicious comment/snippet.
Instances 3
Solution
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
Reference
CWE Id 615
WASC Id 13
Plugin Id 10027
Informational
Modern Web Application
Description
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a>
Other Info
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter
Attack
Evidence <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a>
Other Info
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter
Attack
Evidence <a class="nav-link" data-widget="pushmenu" data-enable-remember="true" data-ew-action="none"><i class="fa-solid fa-bars ew-icon"></i></a>
Other Info
Links have been found that do not have traditional href attributes, which is an indication that this is a modern web application.
Instances 3
Solution
This is an informational alert and so no changes are required.
Reference
CWE Id
WASC Id
Plugin Id 10109
Informational
Non-Storable Content
Description
The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.
URL http://host.docker.internal:8888/
Node Name http://host.docker.internal:8888/
Method GET
Parameter
Attack
Evidence 403
Other Info
URL http://host.docker.internal:8888/sasis/
Node Name http://host.docker.internal:8888/sasis/
Method GET
Parameter
Attack
Evidence 403
Other Info
URL http://host.docker.internal:8888/sasis/mgmt/
Node Name http://host.docker.internal:8888/sasis/mgmt/
Method GET
Parameter
Attack
Evidence no-store
Other Info
Instances 3
Solution
The content may be marked as storable by ensuring that the following conditions are satisfied:

The request method must be understood by the cache and defined as being cacheable ("GET", "HEAD", and "POST" are currently defined as cacheable)

The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)

The "no-store" cache directive must not appear in the request or response header fields

For caching by "shared" caches such as "proxy" caches, the "private" response directive must not appear in the response

For caching by "shared" caches such as "proxy" caches, the "Authorization" header field must not appear in the request, unless the response explicitly allows it (using one of the "must-revalidate", "public", or "s-maxage" Cache-Control response directives)

In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:

It must contain an "Expires" header field

It must contain a "max-age" response directive

For "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive

It must contain a "Cache Control Extension" that allows it to be cached

It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).
Reference https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231
https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id 524
WASC Id 13
Plugin Id 10049
Informational
Session Management Response Identified
Description
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/
Node Name http://host.docker.internal:8888/sasis/mgmt/
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/index
Node Name http://host.docker.internal:8888/sasis/mgmt/index
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/login
Node Name http://host.docker.internal:8888/sasis/mgmt/login
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/login?body&title=ZAP
Node Name http://host.docker.internal:8888/sasis/mgmt/login (body,title)
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3EthumbnailUrl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>thumbnailUrl}}
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
URL http://host.docker.internal:8888/sasis/mgmt/%7B%7B%3Eurl%7D%7D
Node Name http://host.docker.internal:8888/sasis/mgmt/{{>url}}
Method GET
Parameter PHPSESSID
Attack
Evidence PHPSESSID
Other Info
cookie:PHPSESSID
Instances 7
Solution
This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/
CWE Id
WASC Id
Plugin Id 10112
Informational
Storable and Cacheable Content
Description
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
URL http://host.docker.internal:8888/if
Node Name http://host.docker.internal:8888/if
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL http://host.docker.internal:8888/robots.txt
Node Name http://host.docker.internal:8888/robots.txt
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL http://host.docker.internal:8888/sasis
Node Name http://host.docker.internal:8888/sasis
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL http://host.docker.internal:8888/sasis/mgmt
Node Name http://host.docker.internal:8888/sasis/mgmt
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL http://host.docker.internal:8888/sitemap.xml
Node Name http://host.docker.internal:8888/sitemap.xml
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
Instances Systemic
Solution
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:

Cache-Control: no-cache, no-store, must-revalidate, private

Pragma: no-cache

Expires: 0

This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
Reference https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231
https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id 524
WASC Id 13
Plugin Id 10049

Sequence Details

With the associated active scan results.