From 1fc2c910c8246f4eca571e2f082be60b58e35714 Mon Sep 17 00:00:00 2001 From: timisenco2015 Date: Tue, 18 Jul 2023 21:32:37 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20zap-scan=20from=20@=20bcgov/co?= =?UTF-8?q?mmon-hosted-form-service@0cfc474e62cb409493dd0b7545c9910dd76b0f?= =?UTF-8?q?f7=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- report_html.html | 97 +++--------------------------------------------- report_json.json | 49 ++++++------------------ report_md.md | 45 ++-------------------- 3 files changed, 20 insertions(+), 171 deletions(-) diff --git a/report_html.html b/report_html.html index 987a023d3..7d515c3f5 100644 --- a/report_html.html +++ b/report_html.html @@ -127,7 +127,7 @@

- Generated on Tue, 18 Jul 2023 05:27:32 + Generated on Tue, 18 Jul 2023 21:32:31

@@ -156,7 +156,7 @@

Summary of Alerts

Medium
-
4
+
3
@@ -207,11 +207,6 @@

Alerts

Medium 4 - - Missing Anti-clickjacking Header - Medium - 1 - Proxy Disclosure Medium @@ -553,88 +548,6 @@

Alert Detail

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
Medium
Missing Anti-clickjacking Header
Description -
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
- -
URLhttps://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/
MethodGET
Parameterx-frame-options
Attack
Evidence
Instances1
Solution -
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
-
- -
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
- -
Reference - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options - -
CWE Id1021
WASC Id15
Plugin Id10020
-
- - + @@ -1867,7 +1780,7 @@

Alert Detail

- + @@ -1893,7 +1806,7 @@

Alert Detail

- + diff --git a/report_json.json b/report_json.json index e9fa5bec3..1ab841126 100644 --- a/report_json.json +++ b/report_json.json @@ -1,7 +1,7 @@ { "@programName": "OWASP ZAP", "@version": "2.13.0", - "@generated": "Tue, 18 Jul 2023 05:27:32", + "@generated": "Tue, 18 Jul 2023 21:32:31", "site":[ { "@name": "https://chefs-dev.apps.silver.devops.gov.bc.ca", @@ -85,34 +85,7 @@ "reference": "

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

http://www.w3.org/TR/CSP/

http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

http://caniuse.com/#feat=contentsecuritypolicy

http://content-security-policy.com/

", "cweid": "693", "wascid": "15", - "sourceid": "9" - }, - { - "pluginid": "10020", - "alertRef": "10020-1", - "alert": "Missing Anti-clickjacking Header", - "name": "Missing Anti-clickjacking Header", - "riskcode": "2", - "confidence": "2", - "riskdesc": "Medium (Medium)", - "desc": "

The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.

", - "instances":[ - { - "uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/", - "method": "GET", - "param": "x-frame-options", - "attack": "", - "evidence": "", - "otherinfo": "" - } - ], - "count": "1", - "solution": "

Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive.

", - "otherinfo": "", - "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

", - "cweid": "1021", - "wascid": "15", - "sourceid": "3" + "sourceid": "10" }, { "pluginid": "40025", @@ -147,7 +120,7 @@ "reference": "

https://tools.ietf.org/html/rfc7231#section-5.1.2

", "cweid": "200", "wascid": "45", - "sourceid": "741" + "sourceid": "657" }, { "pluginid": "10054", @@ -225,7 +198,7 @@ "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

https://developers.google.com/web/updates/2018/06/feature-policy

https://scotthelme.co.uk/a-new-security-header-feature-policy/

https://w3c.github.io/webappsec-feature-policy/

https://www.smashingmagazine.com/2018/12/feature-policy/

", "cweid": "693", "wascid": "15", - "sourceid": "9" + "sourceid": "10" }, { "pluginid": "10037", @@ -311,7 +284,7 @@ "reference": "

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

http://caniuse.com/stricttransportsecurity

http://tools.ietf.org/html/rfc6797

", "cweid": "319", "wascid": "15", - "sourceid": "9" + "sourceid": "10" }, { "pluginid": "10021", @@ -373,7 +346,7 @@ "reference": "

http://projects.webappsec.org/Fingerprinting

", "cweid": "200", "wascid": "45", - "sourceid": "844" + "sourceid": "760" }, { "pluginid": "10109", @@ -390,7 +363,7 @@ "method": "GET", "param": "", "attack": "", - "evidence": "", + "evidence": "", "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." } ], @@ -451,7 +424,7 @@ "reference": "

https://tools.ietf.org/html/rfc7234

https://tools.ietf.org/html/rfc7231

http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)

", "cweid": "524", "wascid": "13", - "sourceid": "9" + "sourceid": "10" }, { "pluginid": "10015", @@ -495,7 +468,7 @@ "method": "GET", "param": "fc01c8a3cd4d44217c0955933da80179", "attack": "", - "evidence": "6a447b8a47719a62bdbf967fa621d68c", + "evidence": "df842d002f051ad1805962a1a288ab12", "otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179" }, { @@ -503,7 +476,7 @@ "method": "GET", "param": "fc01c8a3cd4d44217c0955933da80179", "attack": "", - "evidence": "6a447b8a47719a62bdbf967fa621d68c", + "evidence": "df842d002f051ad1805962a1a288ab12", "otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179" } ], @@ -655,7 +628,7 @@ "reference": "

https://owasp.org/wstg

", "cweid": "0", "wascid": "0", - "sourceid": "509" + "sourceid": "431" } ] } diff --git a/report_md.md b/report_md.md index 0888094ad..c0a6b146e 100644 --- a/report_md.md +++ b/report_md.md @@ -6,7 +6,7 @@ | Risk Level | Number of Alerts | | --- | --- | | High | 0 | -| Medium | 4 | +| Medium | 3 | | Low | 5 | | Informational | 7 | @@ -19,7 +19,6 @@ | --- | --- | --- | | CSP: Wildcard Directive | Medium | 1 | | Content Security Policy (CSP) Header Not Set | Medium | 4 | -| Missing Anti-clickjacking Header | Medium | 1 | | Proxy Disclosure | Medium | 2 | | Cookie with SameSite Attribute None | Low | 1 | | Permissions Policy Header Not Set | Low | 4 | @@ -133,42 +132,6 @@ Ensure that your web server, application server, load balancer, etc. is configur #### CWE Id: [ 693 ](https://cwe.mitre.org/data/definitions/693.html) -#### WASC Id: 15 - -#### Source ID: 3 - -### [ Missing Anti-clickjacking Header ](https://www.zaproxy.org/docs/alerts/10020/) - - - -##### Medium (Medium) - -### Description - -The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. - -* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/ - * Method: `GET` - * Parameter: `x-frame-options` - * Attack: `` - * Evidence: `` - -Instances: 1 - -### Solution - -Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. -If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. - -### Reference - - -* [ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) - - -#### CWE Id: [ 1021 ](https://cwe.mitre.org/data/definitions/1021.html) - - #### WASC Id: 15 #### Source ID: 3 @@ -495,7 +458,7 @@ The application appears to be a modern web application. If you need to explore i * Method: `GET` * Parameter: `` * Attack: `` - * Evidence: `` + * Evidence: `` Instances: 1 @@ -624,12 +587,12 @@ The given response has been identified as containing a session management token. * Method: `GET` * Parameter: `fc01c8a3cd4d44217c0955933da80179` * Attack: `` - * Evidence: `6a447b8a47719a62bdbf967fa621d68c` + * Evidence: `df842d002f051ad1805962a1a288ab12` * URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833 * Method: `GET` * Parameter: `fc01c8a3cd4d44217c0955933da80179` * Attack: `` - * Evidence: `6a447b8a47719a62bdbf967fa621d68c` + * Evidence: `df842d002f051ad1805962a1a288ab12` Instances: 2
Alert Detail
Evidence<script src="/pr-833/js/chunk-vendors.e1706700.js"></script><script src="/pr-833/js/chunk-vendors.877ab96e.js"></script>
Evidence6a447b8a47719a62bdbf967fa621d68cdf842d002f051ad1805962a1a288ab12
Evidence6a447b8a47719a62bdbf967fa621d68cdf842d002f051ad1805962a1a288ab12