From 1df56b3ff9600928e753154e03267be56dd762b3 Mon Sep 17 00:00:00 2001 From: WalterMoar Date: Tue, 23 Jan 2024 00:26:37 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20zap-scan=20from=20@=20bcgov/co?= =?UTF-8?q?mmon-hosted-form-service@61bb21ee8616f0dda485633eb6e33157e0c2be?= =?UTF-8?q?6b=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- report_html.html | 234 ++++++++++++++++++++++++++++++++++++----------- report_json.json | 144 +++++++++++++++++------------ report_md.md | 132 +++++++++++++++----------- 3 files changed, 345 insertions(+), 165 deletions(-) diff --git a/report_html.html b/report_html.html index ef9b6be70..eb351f28a 100644 --- a/report_html.html +++ b/report_html.html @@ -127,7 +127,7 @@

- Generated on Mon, 22 Jan 2024 17:11:12 + Generated on Tue, 23 Jan 2024 00:26:34

@@ -265,22 +265,22 @@

Alerts

Sec-Fetch-Dest Header is Missing Informational - 3 + 4 Sec-Fetch-Mode Header is Missing Informational - 3 + 4 Sec-Fetch-Site Header is Missing Informational - 3 + 4 Sec-Fetch-User Header is Missing Informational - 3 + 4 Session Management Response Identified @@ -325,7 +325,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail Parameter - eed6a67d093ebd7ab21b438a506ffb35 + 8c745e4409e9f61c1c3dcb8c9d512912 Alert Detail Evidence - set-cookie: eed6a67d093ebd7ab21b438a506ffb35 + set-cookie: 8c745e4409e9f61c1c3dcb8c9d512912 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail class="indent2">Other Info Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 +These cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912 URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail class="indent2">Other Info Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 +These cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912 @@ -1636,7 +1636,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail Evidence - <script type="module" crossorigin src="/pr-1253/assets/index-abc27496.js"></script> + <script type="module" crossorigin src="/pr-1180/assets/index-a36bec21.js"></script> Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 + + + Method + GET + + + Parameter + Sec-Fetch-Dest + + + Attack + + + + Evidence + + + + Other Info + + + + + URL + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt Alert Detail Instances - 3 + 4 Solution @@ -2199,7 +2230,38 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 + + + Method + GET + + + Parameter + Sec-Fetch-Mode + + + Attack + + + + Evidence + + + + Other Info + + + + + URL + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt Alert Detail Instances - 3 + 4 Solution @@ -2345,7 +2407,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + + + Method + GET + + + Parameter + Sec-Fetch-Site + + + Attack + + + + Evidence + + + + Other Info + + + + + URL + https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt Alert Detail Instances - 3 + 4 Solution @@ -2491,7 +2584,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + + + Method + GET + + + Parameter + Sec-Fetch-User + + + Attack + + + + Evidence + + + + Other Info + + + + + URL + https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt Alert Detail Instances - 3 + 4 Solution @@ -2606,7 +2730,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail Parameter - eed6a67d093ebd7ab21b438a506ffb35 + 8c745e4409e9f61c1c3dcb8c9d512912 Alert Detail Evidence - 0f6319b625232906eb0494cd1722df50 + 7dcc6c2a0abc459473c6f640043a0e42 Other Info -cookie:eed6a67d093ebd7ab21b438a506ffb35 +cookie:8c745e4409e9f61c1c3dcb8c9d512912 @@ -2690,7 +2814,7 @@

Alert Detail

URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Alert Detail URL - https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 + https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "content-security-policy", "attack": "", @@ -55,7 +55,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", @@ -98,7 +98,7 @@ "desc": "

The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "x-frame-options", "attack": "", @@ -125,7 +125,7 @@ "desc": "

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

- A list of targets for an attack against the application.

- Potential vulnerabilities on the proxy servers that service the application.

- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "", "attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.", @@ -133,7 +133,7 @@ "otherinfo": "Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: \n- Unknown\nThe following web/application server has been identified: \n- [Express]\n" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.", @@ -147,7 +147,7 @@ "reference": "

https://tools.ietf.org/html/rfc7231#section-5.1.2

", "cweid": "200", "wascid": "45", - "sourceid": "459" + "sourceid": "453" }, { "pluginid": "10054", @@ -160,11 +160,11 @@ "desc": "

A cookie has been set with its SameSite attribute set to \"none\", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", - "param": "eed6a67d093ebd7ab21b438a506ffb35", + "param": "8c745e4409e9f61c1c3dcb8c9d512912", "attack": "", - "evidence": "set-cookie: eed6a67d093ebd7ab21b438a506ffb35", + "evidence": "set-cookie: 8c745e4409e9f61c1c3dcb8c9d512912", "otherinfo": "" } ], @@ -195,7 +195,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", @@ -238,7 +238,7 @@ "desc": "

The web/application server is leaking information via one or more \"X-Powered-By\" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "", "attack": "", @@ -246,7 +246,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", @@ -281,7 +281,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", @@ -324,7 +324,7 @@ "desc": "

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "x-content-type-options", "attack": "", @@ -351,29 +351,29 @@ "desc": "

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "", "attack": "", "evidence": "", - "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35\n" + "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912\n" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", "evidence": "", - "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35\n" + "otherinfo": "Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\nThese cookies affected the response: \nThese cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912\n" } ], "count": "2", "solution": "", - "otherinfo": "

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.

These cookies affected the response:

These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35

", + "otherinfo": "

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.

These cookies affected the response:

These cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912

", "reference": "

https://cwe.mitre.org/data/definitions/205.html

", "cweid": "200", "wascid": "45", - "sourceid": "557" + "sourceid": "554" }, { "pluginid": "10109", @@ -386,11 +386,11 @@ "desc": "

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." } ], @@ -421,7 +421,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "", "attack": "", @@ -464,7 +464,7 @@ "desc": "

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "cache-control", "attack": "", @@ -499,7 +499,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -507,7 +507,15 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", + "method": "GET", + "param": "Sec-Fetch-Dest", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", "method": "GET", "param": "Sec-Fetch-Dest", "attack": "", @@ -515,7 +523,7 @@ "otherinfo": "" } ], - "count": "3", + "count": "4", "solution": "

Ensure that Sec-Fetch-Dest header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest

", @@ -542,7 +550,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -550,7 +558,15 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", + "method": "GET", + "param": "Sec-Fetch-Mode", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", "method": "GET", "param": "Sec-Fetch-Mode", "attack": "", @@ -558,7 +574,7 @@ "otherinfo": "" } ], - "count": "3", + "count": "4", "solution": "

Ensure that Sec-Fetch-Mode header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode

", @@ -585,7 +601,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -593,7 +609,15 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", + "method": "GET", + "param": "Sec-Fetch-Site", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", "method": "GET", "param": "Sec-Fetch-Site", "attack": "", @@ -601,7 +625,7 @@ "otherinfo": "" } ], - "count": "3", + "count": "4", "solution": "

Ensure that Sec-Fetch-Site header is included in request headers.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site

", @@ -628,7 +652,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Sec-Fetch-User", "attack": "", @@ -636,7 +660,15 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", + "method": "GET", + "param": "Sec-Fetch-User", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt", "method": "GET", "param": "Sec-Fetch-User", "attack": "", @@ -644,7 +676,7 @@ "otherinfo": "" } ], - "count": "3", + "count": "4", "solution": "

Ensure that Sec-Fetch-User header is included in user initiated requests.

", "otherinfo": "", "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User

", @@ -663,17 +695,17 @@ "desc": "

The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to \"Auto-Detect\" then this rule will change the session management to use the tokens identified.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", - "param": "eed6a67d093ebd7ab21b438a506ffb35", + "param": "8c745e4409e9f61c1c3dcb8c9d512912", "attack": "", - "evidence": "0f6319b625232906eb0494cd1722df50", - "otherinfo": "\ncookie:eed6a67d093ebd7ab21b438a506ffb35" + "evidence": "7dcc6c2a0abc459473c6f640043a0e42", + "otherinfo": "\ncookie:8c745e4409e9f61c1c3dcb8c9d512912" } ], "count": "1", "solution": "

This is an informational alert rather than a vulnerability and so there is nothing to fix.

", - "otherinfo": "

cookie:eed6a67d093ebd7ab21b438a506ffb35

", + "otherinfo": "

cookie:8c745e4409e9f61c1c3dcb8c9d512912

", "reference": "

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id

", "cweid": "-1", "wascid": "-1", @@ -690,7 +722,7 @@ "desc": "

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/", "method": "GET", "param": "", "attack": "", @@ -717,7 +749,7 @@ "desc": "

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

", "instances":[ { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", @@ -725,7 +757,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", @@ -733,7 +765,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", @@ -741,7 +773,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko", @@ -749,7 +781,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0", @@ -757,7 +789,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36", @@ -765,7 +797,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0", @@ -773,7 +805,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", @@ -781,7 +813,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)", @@ -789,7 +821,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4", @@ -797,7 +829,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16", @@ -805,7 +837,7 @@ "otherinfo": "" }, { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253", + "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180", "method": "GET", "param": "Header User-Agent", "attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)", @@ -819,7 +851,7 @@ "reference": "

https://owasp.org/wstg

", "cweid": "0", "wascid": "0", - "sourceid": "221" + "sourceid": "215" } ] } diff --git a/report_md.md b/report_md.md index 7be2042b5..e4be2e6bf 100644 --- a/report_md.md +++ b/report_md.md @@ -30,10 +30,10 @@ | Modern Web Application | Informational | 1 | | Non-Storable Content | Informational | 4 | | Re-examine Cache-control Directives | Informational | 1 | -| Sec-Fetch-Dest Header is Missing | Informational | 3 | -| Sec-Fetch-Mode Header is Missing | Informational | 3 | -| Sec-Fetch-Site Header is Missing | Informational | 3 | -| Sec-Fetch-User Header is Missing | Informational | 3 | +| Sec-Fetch-Dest Header is Missing | Informational | 4 | +| Sec-Fetch-Mode Header is Missing | Informational | 4 | +| Sec-Fetch-Site Header is Missing | Informational | 4 | +| Sec-Fetch-User Header is Missing | Informational | 4 | | Session Management Response Identified | Informational | 1 | | Storable but Non-Cacheable Content | Informational | 1 | | User Agent Fuzzer | Informational | 12 | @@ -55,7 +55,7 @@ Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `content-security-policy` * Attack: `` @@ -104,7 +104,7 @@ Content Security Policy (CSP) is an added layer of security that helps to detect * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` @@ -158,7 +158,7 @@ Ensure that your web server, application server, load balancer, etc. is configur The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `x-frame-options` * Attack: `` @@ -198,7 +198,7 @@ If you expect the page to be framed only by pages on your server (e.g. it's part - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `` * Attack: `TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.` @@ -208,7 +208,7 @@ If you expect the page to be framed only by pages on your server (e.g. it's part The following web/application server has been identified: - [Express] ` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.` @@ -252,11 +252,11 @@ Configure all proxies, application servers, and web servers to prevent disclosur A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` - * Parameter: `eed6a67d093ebd7ab21b438a506ffb35` + * Parameter: `8c745e4409e9f61c1c3dcb8c9d512912` * Attack: `` - * Evidence: `set-cookie: eed6a67d093ebd7ab21b438a506ffb35` + * Evidence: `set-cookie: 8c745e4409e9f61c1c3dcb8c9d512912` * Other Info: `` Instances: 1 @@ -294,7 +294,7 @@ Permissions Policy Header is an added layer of security that helps to restrict f * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` @@ -346,13 +346,13 @@ Ensure that your web server, application server, load balancer, etc. is configur The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `x-powered-by: Express` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` @@ -395,7 +395,7 @@ HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` @@ -447,7 +447,7 @@ Ensure that your web server, application server, load balancer, etc. is configur The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `x-content-type-options` * Attack: `` @@ -486,23 +486,23 @@ If possible, ensure that the end user uses a standards-compliant and modern web Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `` * Other Info: `Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 +These cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912 ` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` * Evidence: `` * Other Info: `Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: -These cookies did NOT affect the response: eed6a67d093ebd7ab21b438a506ffb35 +These cookies did NOT affect the response: 8c745e4409e9f61c1c3dcb8c9d512912 ` Instances: 2 @@ -534,11 +534,11 @@ Instances: 2 The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` - * Evidence: `` + * Evidence: `` * Other Info: `No links have been found while there are scripts, which is an indication that this is a modern web application.` Instances: 1 @@ -570,7 +570,7 @@ The response contents are not storable by caching components such as proxy serve * Attack: `` * Evidence: `no-store` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `` * Attack: `` @@ -631,7 +631,7 @@ It must have a status code that is defined as cacheable by default (200, 203, 20 The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `cache-control` * Attack: `` @@ -675,20 +675,26 @@ Specifies how and where the data would be used. For instance, if the value is au * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Sec-Fetch-Dest` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + * Method: `GET` + * Parameter: `Sec-Fetch-Dest` + * Attack: `` + * Evidence: `` + * Other Info: `` +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt * Method: `GET` * Parameter: `Sec-Fetch-Dest` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 3 +Instances: 4 ### Solution @@ -723,20 +729,26 @@ Allows to differentiate between requests for navigating between HTML pages and r * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Sec-Fetch-Mode` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + * Method: `GET` + * Parameter: `Sec-Fetch-Mode` + * Attack: `` + * Evidence: `` + * Other Info: `` +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt * Method: `GET` * Parameter: `Sec-Fetch-Mode` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 3 +Instances: 4 ### Solution @@ -771,20 +783,26 @@ Specifies the relationship between request initiator's origin and target's origi * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Sec-Fetch-Site` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + * Method: `GET` + * Parameter: `Sec-Fetch-Site` + * Attack: `` + * Evidence: `` + * Other Info: `` +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt * Method: `GET` * Parameter: `Sec-Fetch-Site` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 3 +Instances: 4 ### Solution @@ -819,20 +837,26 @@ Specifies if a navigation request was initiated by a user. * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Sec-Fetch-User` * Attack: `` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ + * Method: `GET` + * Parameter: `Sec-Fetch-User` + * Attack: `` + * Evidence: `` + * Other Info: `` +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/robots.txt * Method: `GET` * Parameter: `Sec-Fetch-User` * Attack: `` * Evidence: `` * Other Info: `` -Instances: 3 +Instances: 4 ### Solution @@ -861,13 +885,13 @@ Ensure that Sec-Fetch-User header is included in user initiated requests. The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` - * Parameter: `eed6a67d093ebd7ab21b438a506ffb35` + * Parameter: `8c745e4409e9f61c1c3dcb8c9d512912` * Attack: `` - * Evidence: `0f6319b625232906eb0494cd1722df50` + * Evidence: `7dcc6c2a0abc459473c6f640043a0e42` * Other Info: ` -cookie:eed6a67d093ebd7ab21b438a506ffb35` +cookie:8c745e4409e9f61c1c3dcb8c9d512912` Instances: 1 @@ -894,7 +918,7 @@ This is an informational alert rather than a vulnerability and so there is nothi The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253/ +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180/ * Method: `GET` * Parameter: `` * Attack: `` @@ -932,73 +956,73 @@ Instances: 1 Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response. -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16` * Evidence: `` * Other Info: `` -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1253 +* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-1180 * Method: `GET` * Parameter: `Header User-Agent` * Attack: `msnbot/1.1 (+http://search.msn.com/msnbot.htm)`