Skip to content

Commit

Permalink
Deploying to zap-scan from @ 0cfc474 🚀
Browse files Browse the repository at this point in the history
  • Loading branch information
@timisenco2015
timisenco2015 committed Jul 18, 2023
1 parent 51303a3 commit 1fc2c91
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 171 deletions.
97 changes: 5 additions & 92 deletions report_html.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ <h2>
</h2>

<h3>
Generated on Tue, 18 Jul 2023 05:27:32
Generated on Tue, 18 Jul 2023 21:32:31
</h3>

<h3>
Expand Down Expand Up @@ -156,7 +156,7 @@ <h3 class="left-header">Summary of Alerts</h3>
<div>Medium</div>
</td>
<td align="center">
<div>4</div>
<div>3</div>
</td>
</tr>
<tr>
Expand Down Expand Up @@ -207,11 +207,6 @@ <h3>Alerts</h3>
<td align="center" class="risk-2">Medium</td>
<td align="center">4</td>
</tr>
<tr>
<td><a href="#10020">Missing Anti-clickjacking Header</a></td>
<td align="center" class="risk-2">Medium</td>
<td align="center">1</td>
</tr>
<tr>
<td><a href="#40025">Proxy Disclosure</a></td>
<td align="center" class="risk-2">Medium</td>
Expand Down Expand Up @@ -553,88 +548,6 @@ <h3>Alert Detail</h3>
</table>
<div class="spacer"></div>

<table class="results">
<tr height="24">
<th width="20%" class="risk-2"><a
id="10020"></a>
<div>Medium</div></th>
<th class="risk-2">Missing Anti-clickjacking Header</th>
</tr>
<tr>
<td width="20%">Description</td>
<td width="80%">
<div>The response does not include either Content-Security-Policy with &#39;frame-ancestors&#39; directive or X-Frame-Options to protect against &#39;ClickJacking&#39; attacks.</div>

</td>
</tr>
<TR vAlign="top">
<TD colspan="2"></TD>
</TR>

<tr>
<td width="20%"
class="indent1">URL</td>
<td width="80%"><a href="https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/">https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/</a></td>
</tr>
<tr>
<td width="20%"
class="indent2">Method</td>
<td width="80%">GET</td>
</tr>
<tr>
<td width="20%"
class="indent2">Parameter</td>
<td width="80%">x-frame-options</td>
</tr>
<tr>
<td width="20%"
class="indent2">Attack</td>
<td width="80%"></td>
</tr>
<tr>
<td width="20%"
class="indent2">Evidence</td>
<td width="80%"></td>
</tr>

<tr>
<td width="20%">Instances</td>
<td width="80%">1</td>
</tr>
<tr>
<td width="20%">Solution</td>
<td width="80%">
<div>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</div>
<br />

<div>If you expect the page to be framed only by pages on your server (e.g. it&#39;s part of a FRAMESET) then you&#39;ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy&#39;s &quot;frame-ancestors&quot; directive.</div>

</td>
</tr>
<tr>
<td width="20%">Reference</td>
<td width="80%">
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</a>

</td>
</tr>
<tr>
<td width="20%">CWE Id</td>
<td width="80%"><a
href="https://cwe.mitre.org/data/definitions/1021.html">1021</a></td>
</tr>
<tr>
<td width="20%">WASC Id</td>
<td width="80%">15</td>
</tr>
<tr>
<td width="20%">Plugin Id</td>
<td width="80%"><a
href="https://www.zaproxy.org/docs/alerts/10020/">10020</a></td>
</tr>
</table>
<div class="spacer"></div>

<table class="results">
<tr height="24">
<th width="20%" class="risk-2"><a
Expand Down Expand Up @@ -1511,7 +1424,7 @@ <h3>Alert Detail</h3>
<tr>
<td width="20%"
class="indent2">Evidence</td>
<td width="80%">&lt;script src=&quot;/pr-833/js/chunk-vendors.e1706700.js&quot;&gt;&lt;/script&gt;</td>
<td width="80%">&lt;script src=&quot;/pr-833/js/chunk-vendors.877ab96e.js&quot;&gt;&lt;/script&gt;</td>
</tr>

<tr>
Expand Down Expand Up @@ -1867,7 +1780,7 @@ <h3>Alert Detail</h3>
<tr>
<td width="20%"
class="indent2">Evidence</td>
<td width="80%">6a447b8a47719a62bdbf967fa621d68c</td>
<td width="80%">df842d002f051ad1805962a1a288ab12</td>
</tr>

<tr>
Expand All @@ -1893,7 +1806,7 @@ <h3>Alert Detail</h3>
<tr>
<td width="20%"
class="indent2">Evidence</td>
<td width="80%">6a447b8a47719a62bdbf967fa621d68c</td>
<td width="80%">df842d002f051ad1805962a1a288ab12</td>
</tr>

<tr>
Expand Down
49 changes: 11 additions & 38 deletions report_json.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"@programName": "OWASP ZAP",
"@version": "2.13.0",
"@generated": "Tue, 18 Jul 2023 05:27:32",
"@generated": "Tue, 18 Jul 2023 21:32:31",
"site":[
{
"@name": "https://chefs-dev.apps.silver.devops.gov.bc.ca",
Expand Down Expand Up @@ -85,34 +85,7 @@
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</p><p>http://www.w3.org/TR/CSP/</p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html</p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/</p><p>http://caniuse.com/#feat=contentsecuritypolicy</p><p>http://content-security-policy.com/</p>",
"cweid": "693",
"wascid": "15",
"sourceid": "9"
},
{
"pluginid": "10020",
"alertRef": "10020-1",
"alert": "Missing Anti-clickjacking Header",
"name": "Missing Anti-clickjacking Header",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.</p>",
"instances":[
{
"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/",
"method": "GET",
"param": "x-frame-options",
"attack": "",
"evidence": "",
"otherinfo": ""
}
],
"count": "1",
"solution": "<p>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</p><p>If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive.</p>",
"otherinfo": "",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</p>",
"cweid": "1021",
"wascid": "15",
"sourceid": "3"
"sourceid": "10"
},
{
"pluginid": "40025",
Expand Down Expand Up @@ -147,7 +120,7 @@
"reference": "<p>https://tools.ietf.org/html/rfc7231#section-5.1.2</p>",
"cweid": "200",
"wascid": "45",
"sourceid": "741"
"sourceid": "657"
},
{
"pluginid": "10054",
Expand Down Expand Up @@ -225,7 +198,7 @@
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy</p><p>https://developers.google.com/web/updates/2018/06/feature-policy</p><p>https://scotthelme.co.uk/a-new-security-header-feature-policy/</p><p>https://w3c.github.io/webappsec-feature-policy/</p><p>https://www.smashingmagazine.com/2018/12/feature-policy/</p>",
"cweid": "693",
"wascid": "15",
"sourceid": "9"
"sourceid": "10"
},
{
"pluginid": "10037",
Expand Down Expand Up @@ -311,7 +284,7 @@
"reference": "<p>https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</p><p>https://owasp.org/www-community/Security_Headers</p><p>http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</p><p>http://caniuse.com/stricttransportsecurity</p><p>http://tools.ietf.org/html/rfc6797</p>",
"cweid": "319",
"wascid": "15",
"sourceid": "9"
"sourceid": "10"
},
{
"pluginid": "10021",
Expand Down Expand Up @@ -373,7 +346,7 @@
"reference": "<p>http://projects.webappsec.org/Fingerprinting</p><p></p>",
"cweid": "200",
"wascid": "45",
"sourceid": "844"
"sourceid": "760"
},
{
"pluginid": "10109",
Expand All @@ -390,7 +363,7 @@
"method": "GET",
"param": "",
"attack": "",
"evidence": "<script src=\"/pr-833/js/chunk-vendors.e1706700.js\"></script>",
"evidence": "<script src=\"/pr-833/js/chunk-vendors.877ab96e.js\"></script>",
"otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application."
}
],
Expand Down Expand Up @@ -451,7 +424,7 @@
"reference": "<p>https://tools.ietf.org/html/rfc7234</p><p>https://tools.ietf.org/html/rfc7231</p><p>http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)</p>",
"cweid": "524",
"wascid": "13",
"sourceid": "9"
"sourceid": "10"
},
{
"pluginid": "10015",
Expand Down Expand Up @@ -495,15 +468,15 @@
"method": "GET",
"param": "fc01c8a3cd4d44217c0955933da80179",
"attack": "",
"evidence": "6a447b8a47719a62bdbf967fa621d68c",
"evidence": "df842d002f051ad1805962a1a288ab12",
"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
},
{
"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833",
"method": "GET",
"param": "fc01c8a3cd4d44217c0955933da80179",
"attack": "",
"evidence": "6a447b8a47719a62bdbf967fa621d68c",
"evidence": "df842d002f051ad1805962a1a288ab12",
"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
}
],
Expand Down Expand Up @@ -655,7 +628,7 @@
"reference": "<p>https://owasp.org/wstg</p>",
"cweid": "0",
"wascid": "0",
"sourceid": "509"
"sourceid": "431"
}
]
}
Expand Down
45 changes: 4 additions & 41 deletions report_md.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
| Risk Level | Number of Alerts |
| --- | --- |
| High | 0 |
| Medium | 4 |
| Medium | 3 |
| Low | 5 |
| Informational | 7 |

Expand All @@ -19,7 +19,6 @@
| --- | --- | --- |
| CSP: Wildcard Directive | Medium | 1 |
| Content Security Policy (CSP) Header Not Set | Medium | 4 |
| Missing Anti-clickjacking Header | Medium | 1 |
| Proxy Disclosure | Medium | 2 |
| Cookie with SameSite Attribute None | Low | 1 |
| Permissions Policy Header Not Set | Low | 4 |
Expand Down Expand Up @@ -133,42 +132,6 @@ Ensure that your web server, application server, load balancer, etc. is configur
#### CWE Id: [ 693 ](https://cwe.mitre.org/data/definitions/693.html)


#### WASC Id: 15

#### Source ID: 3

### [ Missing Anti-clickjacking Header ](https://www.zaproxy.org/docs/alerts/10020/)



##### Medium (Medium)

### Description

The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.

* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/
* Method: `GET`
* Parameter: `x-frame-options`
* Attack: ``
* Evidence: ``

Instances: 1

### Solution

Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

### Reference


* [ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)


#### CWE Id: [ 1021 ](https://cwe.mitre.org/data/definitions/1021.html)


#### WASC Id: 15

#### Source ID: 3
Expand Down Expand Up @@ -495,7 +458,7 @@ The application appears to be a modern web application. If you need to explore i
* Method: `GET`
* Parameter: ``
* Attack: ``
* Evidence: `<script src="/pr-833/js/chunk-vendors.e1706700.js"></script>`
* Evidence: `<script src="/pr-833/js/chunk-vendors.877ab96e.js"></script>`

Instances: 1

Expand Down Expand Up @@ -624,12 +587,12 @@ The given response has been identified as containing a session management token.
* Method: `GET`
* Parameter: `fc01c8a3cd4d44217c0955933da80179`
* Attack: ``
* Evidence: `6a447b8a47719a62bdbf967fa621d68c`
* Evidence: `df842d002f051ad1805962a1a288ab12`
* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833
* Method: `GET`
* Parameter: `fc01c8a3cd4d44217c0955933da80179`
* Attack: ``
* Evidence: `6a447b8a47719a62bdbf967fa621d68c`
* Evidence: `df842d002f051ad1805962a1a288ab12`

Instances: 2

Expand Down

0 comments on commit 1fc2c91

Please sign in to comment.