From 03beab97b497f3a8335f88d2f8ff3c9827873149 Mon Sep 17 00:00:00 2001 From: vijaivir Date: Mon, 22 Jan 2024 17:11:18 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20zap-scan=20from=20@=20bcgov/co?= =?UTF-8?q?mmon-hosted-form-service@ef65e46c73133305c48fe79046835500b860a3?= =?UTF-8?q?d5=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- report_html.html | 242 ++++++++++++----------------------------------- report_json.json | 168 +++++++++++++------------------- report_md.md | 140 ++++++++++++--------------- 3 files changed, 185 insertions(+), 365 deletions(-) diff --git a/report_html.html b/report_html.html index c220db3b9..ef9b6be70 100644 --- a/report_html.html +++ b/report_html.html @@ -127,7 +127,7 @@

- Generated on Mon, 22 Jan 2024 16:05:48 + Generated on Mon, 22 Jan 2024 17:11:12

@@ -265,22 +265,22 @@

Alerts

Sec-Fetch-Dest Header is Missing Informational - 4 + 3 Sec-Fetch-Mode Header is Missing Informational - 4 + 3 Sec-Fetch-Site Header is Missing Informational - 4 + 3 Sec-Fetch-User Header is Missing Informational - 4 + 3 Session Management Response Identified @@ -325,7 +325,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail Parameter - a97f95a2ab74ec0cf3ba8a0cd9d46d27 + eed6a67d093ebd7ab21b438a506ffb35 Alert Detail Evidence - set-cookie: a97f95a2ab74ec0cf3ba8a0cd9d46d27 + set-cookie: eed6a67d093ebd7ab21b438a506ffb35 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail class="indent2">Other Info Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27 +These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail class="indent2">Other Info Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27 +These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 @@ -1636,7 +1636,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail Evidence - <script type="module" crossorigin src="/pr-1176/assets/index-43130891.js"></script> + <script type="module" crossorigin src="/pr-1253/assets/index-abc27496.js"></script> Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - - - Method - GET - - - Parameter - Sec-Fetch-Dest - - - Attack - - - - Evidence - - - - Other Info - - - - - URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail Instances - 4 + 3 Solution @@ -2199,38 +2168,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - - - Method - GET - - - Parameter - Sec-Fetch-Mode - - - Attack - - - - Evidence - - - - Other Info - - - - - URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail Instances - 4 + 3 Solution @@ -2376,38 +2314,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - - - Method - GET - - - Parameter - Sec-Fetch-Site - - - Attack - - - - Evidence - - - - Other Info - - - - - URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail Instances - 4 + 3 Solution @@ -2553,38 +2460,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - - - Method - GET - - - Parameter - Sec-Fetch-User - - - Attack - - - - Evidence - - - - Other Info - - - - - URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail Instances - 4 + 3 Solution @@ -2730,7 +2606,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail Parameter - a97f95a2ab74ec0cf3ba8a0cd9d46d27 + eed6a67d093ebd7ab21b438a506ffb35 Alert Detail Evidence - c19232a260b2b9048dfc1b27627c0e9c + 0f6319b625232906eb0494cd1722df50 Other Info -cookie:a97f95a2ab74ec0cf3ba8a0cd9d46d27 +cookie:eed6a67d093ebd7ab21b438a506ffb35 @@ -2814,7 +2690,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "content-security-policy", "attack": "", @@ -55,7 +55,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", @@ -85,7 +85,7 @@ "reference": "

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

https://www.w3.org/TR/CSP/

https://w3c.github.io/webappsec-csp/

https://web.dev/articles/csp

https://caniuse.com/#feat=contentsecuritypolicy

https://content-security-policy.com/

", "cweid": "693", "wascid": "15", - "sourceid": "10" + "sourceid": "8" }, { "pluginid": "10020", @@ -98,7 +98,7 @@ "desc": "

The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "x-frame-options", "attack": "", @@ -125,7 +125,7 @@ "desc": "

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

- A list of targets for an attack against the application.

- Potential vulnerabilities on the proxy servers that service the application.

- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "", "attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.", @@ -133,7 +133,7 @@ "otherinfo": "Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: \n- Unknown\nThe following web/application server has been identified: \n- [Express]\n" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.", @@ -147,7 +147,7 @@ "reference": "

https://tools.ietf.org/html/rfc7231#section-5.1.2

", "cweid": "200", "wascid": "45", - "sourceid": "458" + "sourceid": "459" }, { "pluginid": "10054", @@ -160,11 +160,11 @@ "desc": "

A cookie has been set with its SameSite attribute set to \"none\", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", - "param": "a97f95a2ab74ec0cf3ba8a0cd9d46d27", + "param": "eed6a67d093ebd7ab21b438a506ffb35", "attack": "", - "evidence": "set-cookie: a97f95a2ab74ec0cf3ba8a0cd9d46d27", + "evidence": "set-cookie: eed6a67d093ebd7ab21b438a506ffb35", "otherinfo": "" } ], @@ -195,7 +195,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", @@ -225,7 +225,7 @@ "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy

https://developer.chrome.com/blog/feature-policy/

https://scotthelme.co.uk/a-new-security-header-feature-policy/

https://w3c.github.io/webappsec-feature-policy/

https://www.smashingmagazine.com/2018/12/feature-policy/

", "cweid": "693", "wascid": "15", - "sourceid": "10" + "sourceid": "8" }, { "pluginid": "10037", @@ -238,7 +238,7 @@ "desc": "

The web/application server is leaking information via one or more \"X-Powered-By\" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "", "attack": "", @@ -246,7 +246,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", @@ -281,7 +281,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", @@ -311,7 +311,7 @@ "reference": "

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://caniuse.com/stricttransportsecurity

https://datatracker.ietf.org/doc/html/rfc6797

", "cweid": "319", "wascid": "15", - "sourceid": "10" + "sourceid": "8" }, { "pluginid": "10021", @@ -324,7 +324,7 @@ "desc": "

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "x-content-type-options", "attack": "", @@ -351,29 +351,29 @@ "desc": "

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "", "attack": "", "evidence": "", - "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27\n" + "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35\n" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", "evidence": "", - "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27\n" + "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35\n" } ], "count": "2", "solution": "", - "otherinfo": "

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.

These cookies affected the response:

These cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27

", + "otherinfo": "

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.

These cookies affected the response:

These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35

", "reference": "

https://cwe.mitre.org/data/definitions/205.html

", "cweid": "200", "wascid": "45", - "sourceid": "559" + "sourceid": "557" }, { "pluginid": "10109", @@ -386,11 +386,11 @@ "desc": "

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." } ], @@ -421,7 +421,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "", "attack": "", @@ -451,7 +451,7 @@ "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", "cweid": "524", "wascid": "13", - "sourceid": "10" + "sourceid": "8" }, { "pluginid": "10015", @@ -464,7 +464,7 @@ "desc": "

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "cache-control", "attack": "", @@ -491,15 +491,7 @@ "desc": "

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", - "method": "GET", - "param": "Sec-Fetch-Dest", - "attack": "", - "evidence": "", - "otherinfo": "" - }, - { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -507,7 +499,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -515,7 +507,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -523,13 +515,13 @@ "otherinfo": "" } ], - "count": "4", + "count": "3", "solution": "

Ensure that Sec-Fetch-Dest header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest

", "cweid": "352", "wascid": "9", - "sourceid": "1" + "sourceid": "8" }, { "pluginid": "90005", @@ -542,15 +534,7 @@ "desc": "

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", - "method": "GET", - "param": "Sec-Fetch-Mode", - "attack": "", - "evidence": "", - "otherinfo": "" - }, - { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -558,7 +542,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -566,7 +550,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -574,13 +558,13 @@ "otherinfo": "" } ], - "count": "4", + "count": "3", "solution": "

Ensure that Sec-Fetch-Mode header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode

", "cweid": "352", "wascid": "9", - "sourceid": "1" + "sourceid": "8" }, { "pluginid": "90005", @@ -593,15 +577,7 @@ "desc": "

Specifies the relationship between request initiator's origin and target's origin.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", - "method": "GET", - "param": "Sec-Fetch-Site", - "attack": "", - "evidence": "", - "otherinfo": "" - }, - { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -609,7 +585,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -617,7 +593,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -625,13 +601,13 @@ "otherinfo": "" } ], - "count": "4", + "count": "3", "solution": "

Ensure that Sec-Fetch-Site header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site

", "cweid": "352", "wascid": "9", - "sourceid": "1" + "sourceid": "8" }, { "pluginid": "90005", @@ -644,15 +620,7 @@ "desc": "

Specifies if a navigation request was initiated by a user.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", - "method": "GET", - "param": "Sec-Fetch-User", - "attack": "", - "evidence": "", - "otherinfo": "" - }, - { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/", "method": "GET", "param": "Sec-Fetch-User", "attack": "", @@ -660,7 +628,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Sec-Fetch-User", "attack": "", @@ -668,7 +636,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "Sec-Fetch-User", "attack": "", @@ -676,13 +644,13 @@ "otherinfo": "" } ], - "count": "4", + "count": "3", "solution": "

Ensure that Sec-Fetch-User header is included in user initiated requests.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User

", "cweid": "352", "wascid": "9", - "sourceid": "1" + "sourceid": "8" }, { "pluginid": "10112", @@ -695,17 +663,17 @@ "desc": "

The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to \"Auto-Detect\" then this rule will change the session management to use the tokens identified.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", - "param": "a97f95a2ab74ec0cf3ba8a0cd9d46d27", + "param": "eed6a67d093ebd7ab21b438a506ffb35", "attack": "", - "evidence": "c19232a260b2b9048dfc1b27627c0e9c", - "otherinfo": "\ncookie:a97f95a2ab74ec0cf3ba8a0cd9d46d27" + "evidence": "0f6319b625232906eb0494cd1722df50", + "otherinfo": "\ncookie:eed6a67d093ebd7ab21b438a506ffb35" } ], "count": "1", "solution": "

This is an informational alert rather than a vulnerability and so there is nothing to fix.

", - "otherinfo": "

cookie:a97f95a2ab74ec0cf3ba8a0cd9d46d27

", + "otherinfo": "

cookie:eed6a67d093ebd7ab21b438a506ffb35

", "reference": "

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id

", "cweid": "-1", "wascid": "-1", @@ -722,7 +690,7 @@ "desc": "

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", "method": "GET", "param": "", "attack": "", @@ -749,7 +717,7 @@ "desc": "

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", @@ -757,7 +725,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", @@ -765,7 +733,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", @@ -773,7 +741,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko", @@ -781,7 +749,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0", @@ -789,7 +757,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", @@ -797,7 +765,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0", @@ -805,7 +773,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", @@ -813,7 +781,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", @@ -821,7 +789,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4", @@ -829,7 +797,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16", @@ -837,7 +805,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", "method": "GET", "param": "Header User-Agent", "attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)", @@ -851,7 +819,7 @@ "reference": "

https://owasp.org/wstg

", "cweid": "0", "wascid": "0", - "sourceid": "220" + "sourceid": "221" } ] } diff --git a/report_md.md b/report_md.md index f48984fda..7be2042b5 100644 --- a/report_md.md +++ b/report_md.md @@ -30,10 +30,10 @@ | Modern Web Application | Informational | 1 | | Non-Storable Content | Informational | 4 | | Re-examine Cache-control Directives | Informational | 1 | -| Sec-Fetch-Dest Header is Missing | Informational | 4 | -| Sec-Fetch-Mode Header is Missing | Informational | 4 | -| Sec-Fetch-Site Header is Missing | Informational | 4 | -| Sec-Fetch-User Header is Missing | Informational | 4 | +| Sec-Fetch-Dest Header is Missing | Informational | 3 | +| Sec-Fetch-Mode Header is Missing | Informational | 3 | +| Sec-Fetch-Site Header is Missing | Informational | 3 | +| Sec-Fetch-User Header is Missing | Informational | 3 | | Session Management Response Identified | Informational | 1 | | Storable but Non-Cacheable Content | Informational | 1 | | User Agent Fuzzer | Informational | 12 | @@ -55,7 +55,7 @@ Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `content-security-policy` * Attack: `` @@ -104,7 +104,7 @@ Content Security Policy (CSP) is an added layer of security that helps to detect * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` @@ -158,7 +158,7 @@ Ensure that your web server, application server, load balancer, etc. is configur The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `x-frame-options` * Attack: `` @@ -198,7 +198,7 @@ If you expect the page to be framed only by pages on your server (e.g. it's part - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `` * Attack: `TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.` @@ -208,7 +208,7 @@ If you expect the page to be framed only by pages on your server (e.g. it's part The following web/application server has been identified: - [Express] ` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.` @@ -252,11 +252,11 @@ Configure all proxies, application servers, and web servers to prevent disclosur A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` - * Parameter: `a97f95a2ab74ec0cf3ba8a0cd9d46d27` + * Parameter: `eed6a67d093ebd7ab21b438a506ffb35` * Attack: `` - * Evidence: `set-cookie: a97f95a2ab74ec0cf3ba8a0cd9d46d27` + * Evidence: `set-cookie: eed6a67d093ebd7ab21b438a506ffb35` * Other Info: `` Instances: 1 @@ -294,7 +294,7 @@ Permissions Policy Header is an added layer of security that helps to restrict f * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` @@ -346,13 +346,13 @@ Ensure that your web server, application server, load balancer, etc. is configur The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `x-powered-by: Express` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` @@ -395,7 +395,7 @@ HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` @@ -447,7 +447,7 @@ Ensure that your web server, application server, load balancer, etc. is configur The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `x-content-type-options` * Attack: `` @@ -486,23 +486,23 @@ If possible, ensure that the end user uses a standards-compliant and modern web Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `` * Other Info: `Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27 +These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 ` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `` * Other Info: `Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: a97f95a2ab74ec0cf3ba8a0cd9d46d27 +These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 ` Instances: 2 @@ -534,11 +534,11 @@ Instances: 2 The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` - * Evidence: `` + * Evidence: `` * Other Info: `No links have been found while there are scripts, which is an indication that this is a modern web application.` Instances: 1 @@ -570,7 +570,7 @@ The response contents are not storable by caching components such as proxy serve * Attack: `` * Evidence: `no-store` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `` * Attack: `` @@ -631,7 +631,7 @@ It must have a status code that is defined as cacheable by default (200, 203, 20 The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `cache-control` * Attack: `` @@ -669,32 +669,26 @@ For secure content, ensure the cache-control HTTP header is set with "no-cache, Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - * Method: `GET` - * Parameter: `Sec-Fetch-Dest` - * Attack: `` - * Evidence: `` - * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/ * Method: `GET` * Parameter: `Sec-Fetch-Dest` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Sec-Fetch-Dest` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `Sec-Fetch-Dest` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 4 +Instances: 3 ### Solution @@ -723,32 +717,26 @@ Ensure that Sec-Fetch-Dest header is included in request headers. Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - * Method: `GET` - * Parameter: `Sec-Fetch-Mode` - * Attack: `` - * Evidence: `` - * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/ * Method: `GET` * Parameter: `Sec-Fetch-Mode` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Sec-Fetch-Mode` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `Sec-Fetch-Mode` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 4 +Instances: 3 ### Solution @@ -777,32 +765,26 @@ Ensure that Sec-Fetch-Mode header is included in request headers. Specifies the relationship between request initiator's origin and target's origin. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - * Method: `GET` - * Parameter: `Sec-Fetch-Site` - * Attack: `` - * Evidence: `` - * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/ * Method: `GET` * Parameter: `Sec-Fetch-Site` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Sec-Fetch-Site` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `Sec-Fetch-Site` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 4 +Instances: 3 ### Solution @@ -831,32 +813,26 @@ Ensure that Sec-Fetch-Site header is included in request headers. Specifies if a navigation request was initiated by a user. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 - * Method: `GET` - * Parameter: `Sec-Fetch-User` - * Attack: `` - * Evidence: `` - * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/ * Method: `GET` * Parameter: `Sec-Fetch-User` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Sec-Fetch-User` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/sitemap.xml +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `Sec-Fetch-User` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 4 +Instances: 3 ### Solution @@ -885,13 +861,13 @@ Ensure that Sec-Fetch-User header is included in user initiated requests. The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` - * Parameter: `a97f95a2ab74ec0cf3ba8a0cd9d46d27` + * Parameter: `eed6a67d093ebd7ab21b438a506ffb35` * Attack: `` - * Evidence: `c19232a260b2b9048dfc1b27627c0e9c` + * Evidence: `0f6319b625232906eb0494cd1722df50` * Other Info: ` -cookie:a97f95a2ab74ec0cf3ba8a0cd9d46d27` +cookie:eed6a67d093ebd7ab21b438a506ffb35` Instances: 1 @@ -918,7 +894,7 @@ This is an informational alert rather than a vulnerability and so there is nothi The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ * Method: `GET` * Parameter: `` * Attack: `` @@ -956,73 +932,73 @@ Instances: 1 Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1176 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `msnbot/1.1 (+http://search.msn.com/msnbot.htm)`