diff --git a/report_json.json b/report_json.json
index e9fa5bec3..1ab841126 100644
--- a/report_json.json
+++ b/report_json.json
@@ -1,7 +1,7 @@
{
"@programName": "OWASP ZAP",
"@version": "2.13.0",
- "@generated": "Tue, 18 Jul 2023 05:27:32",
+ "@generated": "Tue, 18 Jul 2023 21:32:31",
"site":[
{
"@name": "https://chefs-dev.apps.silver.devops.gov.bc.ca",
@@ -85,34 +85,7 @@
"reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
",
"cweid": "693",
"wascid": "15",
- "sourceid": "9"
- },
- {
- "pluginid": "10020",
- "alertRef": "10020-1",
- "alert": "Missing Anti-clickjacking Header",
- "name": "Missing Anti-clickjacking Header",
- "riskcode": "2",
- "confidence": "2",
- "riskdesc": "Medium (Medium)",
- "desc": "The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
",
- "instances":[
- {
- "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/",
- "method": "GET",
- "param": "x-frame-options",
- "attack": "",
- "evidence": "",
- "otherinfo": ""
- }
- ],
- "count": "1",
- "solution": "Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive.
",
- "otherinfo": "",
- "reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
",
- "cweid": "1021",
- "wascid": "15",
- "sourceid": "3"
+ "sourceid": "10"
},
{
"pluginid": "40025",
@@ -147,7 +120,7 @@
"reference": "https://tools.ietf.org/html/rfc7231#section-5.1.2
",
"cweid": "200",
"wascid": "45",
- "sourceid": "741"
+ "sourceid": "657"
},
{
"pluginid": "10054",
@@ -225,7 +198,7 @@
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
https://developers.google.com/web/updates/2018/06/feature-policy
https://scotthelme.co.uk/a-new-security-header-feature-policy/
https://w3c.github.io/webappsec-feature-policy/
https://www.smashingmagazine.com/2018/12/feature-policy/
",
"cweid": "693",
"wascid": "15",
- "sourceid": "9"
+ "sourceid": "10"
},
{
"pluginid": "10037",
@@ -311,7 +284,7 @@
"reference": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://owasp.org/www-community/Security_Headers
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
http://caniuse.com/stricttransportsecurity
http://tools.ietf.org/html/rfc6797
",
"cweid": "319",
"wascid": "15",
- "sourceid": "9"
+ "sourceid": "10"
},
{
"pluginid": "10021",
@@ -373,7 +346,7 @@
"reference": "http://projects.webappsec.org/Fingerprinting
",
"cweid": "200",
"wascid": "45",
- "sourceid": "844"
+ "sourceid": "760"
},
{
"pluginid": "10109",
@@ -390,7 +363,7 @@
"method": "GET",
"param": "",
"attack": "",
- "evidence": "",
+ "evidence": "",
"otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application."
}
],
@@ -451,7 +424,7 @@
"reference": "https://tools.ietf.org/html/rfc7234
https://tools.ietf.org/html/rfc7231
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)
",
"cweid": "524",
"wascid": "13",
- "sourceid": "9"
+ "sourceid": "10"
},
{
"pluginid": "10015",
@@ -495,7 +468,7 @@
"method": "GET",
"param": "fc01c8a3cd4d44217c0955933da80179",
"attack": "",
- "evidence": "6a447b8a47719a62bdbf967fa621d68c",
+ "evidence": "df842d002f051ad1805962a1a288ab12",
"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
},
{
@@ -503,7 +476,7 @@
"method": "GET",
"param": "fc01c8a3cd4d44217c0955933da80179",
"attack": "",
- "evidence": "6a447b8a47719a62bdbf967fa621d68c",
+ "evidence": "df842d002f051ad1805962a1a288ab12",
"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
}
],
@@ -655,7 +628,7 @@
"reference": "https://owasp.org/wstg
",
"cweid": "0",
"wascid": "0",
- "sourceid": "509"
+ "sourceid": "431"
}
]
}
diff --git a/report_md.md b/report_md.md
index 0888094ad..c0a6b146e 100644
--- a/report_md.md
+++ b/report_md.md
@@ -6,7 +6,7 @@
| Risk Level | Number of Alerts |
| --- | --- |
| High | 0 |
-| Medium | 4 |
+| Medium | 3 |
| Low | 5 |
| Informational | 7 |
@@ -19,7 +19,6 @@
| --- | --- | --- |
| CSP: Wildcard Directive | Medium | 1 |
| Content Security Policy (CSP) Header Not Set | Medium | 4 |
-| Missing Anti-clickjacking Header | Medium | 1 |
| Proxy Disclosure | Medium | 2 |
| Cookie with SameSite Attribute None | Low | 1 |
| Permissions Policy Header Not Set | Low | 4 |
@@ -133,42 +132,6 @@ Ensure that your web server, application server, load balancer, etc. is configur
#### CWE Id: [ 693 ](https://cwe.mitre.org/data/definitions/693.html)
-#### WASC Id: 15
-
-#### Source ID: 3
-
-### [ Missing Anti-clickjacking Header ](https://www.zaproxy.org/docs/alerts/10020/)
-
-
-
-##### Medium (Medium)
-
-### Description
-
-The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
-
-* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/
- * Method: `GET`
- * Parameter: `x-frame-options`
- * Attack: ``
- * Evidence: ``
-
-Instances: 1
-
-### Solution
-
-Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
-If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
-
-### Reference
-
-
-* [ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
-
-
-#### CWE Id: [ 1021 ](https://cwe.mitre.org/data/definitions/1021.html)
-
-
#### WASC Id: 15
#### Source ID: 3
@@ -495,7 +458,7 @@ The application appears to be a modern web application. If you need to explore i
* Method: `GET`
* Parameter: ``
* Attack: ``
- * Evidence: ``
+ * Evidence: ``
Instances: 1
@@ -624,12 +587,12 @@ The given response has been identified as containing a session management token.
* Method: `GET`
* Parameter: `fc01c8a3cd4d44217c0955933da80179`
* Attack: ``
- * Evidence: `6a447b8a47719a62bdbf967fa621d68c`
+ * Evidence: `df842d002f051ad1805962a1a288ab12`
* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833
* Method: `GET`
* Parameter: `fc01c8a3cd4d44217c0955933da80179`
* Attack: ``
- * Evidence: `6a447b8a47719a62bdbf967fa621d68c`
+ * Evidence: `df842d002f051ad1805962a1a288ab12`
Instances: 2