Deploying to zap-scan from @ b1ecde4 🚀

bcgov · Jul 12, 2023 · 36fb50e · 36fb50e
1 parent 4da8d35
commit 36fb50e
Show file tree

Hide file tree

Showing 3 changed files with 164 additions and 13 deletions.
diff --git a/report_html.html b/report_html.html
@@ -127,7 +127,7 @@ <h2>
 	</h2>
 
 	<h3>
-		Generated on Wed, 12 Jul 2023 21:37:54
+		Generated on Wed, 12 Jul 2023 22:21:18
 	</h3>
 
 	<h3>
@@ -156,7 +156,7 @@ <h3 class="left-header">Summary of Alerts</h3>
 					<div>Medium</div>
 				</td>
 				<td align="center">
-					<div>3</div>
+					<div>4</div>
 				</td>
 			</tr>
 			<tr>
@@ -207,6 +207,11 @@ <h3>Alerts</h3>
 				<td align="center" class="risk-2">Medium</td>
 				<td align="center">4</td>
 			</tr>
+			<tr>
+				<td><a href="#10020">Missing Anti-clickjacking Header</a></td>
+				<td align="center" class="risk-2">Medium</td>
+				<td align="center">1</td>
+			</tr>
 			<tr>
 				<td><a href="#40025">Proxy Disclosure</a></td>
 				<td align="center" class="risk-2">Medium</td>
@@ -548,6 +553,88 @@ <h3>Alert Detail</h3>
 			</table>
 			<div class="spacer"></div>
 
+			<table class="results">
+				<tr height="24">
+					<th width="20%" class="risk-2"><a
+						id="10020"></a>
+						<div>Medium</div></th>
+					<th class="risk-2">Missing Anti-clickjacking Header</th>
+				</tr>
+				<tr>
+					<td width="20%">Description</td>
+					<td width="80%">
+							<div>The response does not include either Content-Security-Policy with &#39;frame-ancestors&#39; directive or X-Frame-Options to protect against &#39;ClickJacking&#39; attacks.</div>
+
+						</td>
+				</tr>
+				<TR vAlign="top">
+					<TD colspan="2"></TD>
+				</TR>
+
+					<tr>
+						<td width="20%"
+							class="indent1">URL</td>
+						<td width="80%"><a href="https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874/">https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874/</a></td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Method</td>
+						<td width="80%">GET</td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Parameter</td>
+						<td width="80%">x-frame-options</td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Attack</td>
+						<td width="80%"></td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Evidence</td>
+						<td width="80%"></td>
+					</tr>
+
+				<tr>
+					<td width="20%">Instances</td>
+					<td width="80%">1</td>
+				</tr>
+				<tr>
+					<td width="20%">Solution</td>
+					<td width="80%">
+							<div>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</div>
+							<br />
+
+							<div>If you expect the page to be framed only by pages on your server (e.g. it&#39;s part of a FRAMESET) then you&#39;ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy&#39;s &quot;frame-ancestors&quot; directive.</div>
+
+						</td>
+				</tr>
+				<tr>
+					<td width="20%">Reference</td>
+					<td width="80%">
+							<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</a>
+
+						</td>
+				</tr>
+				<tr>
+					<td width="20%">CWE Id</td>
+					<td width="80%"><a
+						href="https://cwe.mitre.org/data/definitions/1021.html">1021</a></td>
+				</tr>
+				<tr>
+					<td width="20%">WASC Id</td>
+					<td width="80%">15</td>
+				</tr>
+				<tr>
+					<td width="20%">Plugin Id</td>
+					<td width="80%"><a
+						href="https://www.zaproxy.org/docs/alerts/10020/">10020</a></td>
+				</tr>
+			</table>
+			<div class="spacer"></div>
+
 			<table class="results">
 				<tr height="24">
 					<th width="20%" class="risk-2"><a
@@ -1780,7 +1867,7 @@ <h3>Alert Detail</h3>
 					<tr>
 						<td width="20%"
 							class="indent2">Evidence</td>
-						<td width="80%">91b4b9f0094d29c6d90e0a9f089570dd</td>
+						<td width="80%">f40fa87843e0b7a9121e6f431faf1bd2</td>
 					</tr>
 
 					<tr>
@@ -1806,7 +1893,7 @@ <h3>Alert Detail</h3>
 					<tr>
 						<td width="20%"
 							class="indent2">Evidence</td>
-						<td width="80%">91b4b9f0094d29c6d90e0a9f089570dd</td>
+						<td width="80%">f40fa87843e0b7a9121e6f431faf1bd2</td>
 					</tr>
 
 				<tr>

diff --git a/report_json.json b/report_json.json
@@ -1,7 +1,7 @@
 {
 	"@programName": "OWASP ZAP",
 	"@version": "2.13.0",
-	"@generated": "Wed, 12 Jul 2023 21:37:54",
+	"@generated": "Wed, 12 Jul 2023 22:21:18",
 	"site":[ 
 		{
 			"@name": "https://chefs-dev.apps.silver.devops.gov.bc.ca",
@@ -87,6 +87,33 @@
 					"wascid": "15",
 					"sourceid": "9"
 				},
+				{
+					"pluginid": "10020",
+					"alertRef": "10020-1",
+					"alert": "Missing Anti-clickjacking Header",
+					"name": "Missing Anti-clickjacking Header",
+					"riskcode": "2",
+					"confidence": "2",
+					"riskdesc": "Medium (Medium)",
+					"desc": "<p>The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.</p>",
+					"instances":[ 
+						{
+							"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874/",
+							"method": "GET",
+							"param": "x-frame-options",
+							"attack": "",
+							"evidence": "",
+							"otherinfo": ""
+						}
+					],
+					"count": "1",
+					"solution": "<p>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</p><p>If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive.</p>",
+					"otherinfo": "",
+					"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</p>",
+					"cweid": "1021",
+					"wascid": "15",
+					"sourceid": "3"
+				},
 				{
 					"pluginid": "40025",
 					"alertRef": "40025",
@@ -120,7 +147,7 @@
 					"reference": "<p>https://tools.ietf.org/html/rfc7231#section-5.1.2</p>",
 					"cweid": "200",
 					"wascid": "45",
-					"sourceid": "798"
+					"sourceid": "766"
 				},
 				{
 					"pluginid": "10054",
@@ -346,7 +373,7 @@
 					"reference": "<p>http://projects.webappsec.org/Fingerprinting</p><p></p>",
 					"cweid": "200",
 					"wascid": "45",
-					"sourceid": "901"
+					"sourceid": "871"
 				},
 				{
 					"pluginid": "10109",
@@ -468,15 +495,15 @@
 							"method": "GET",
 							"param": "aa9bcdf2aa172bd4923c79a2c4e51d8e",
 							"attack": "",
-							"evidence": "91b4b9f0094d29c6d90e0a9f089570dd",
+							"evidence": "f40fa87843e0b7a9121e6f431faf1bd2",
 							"otherinfo": "\ncookie:aa9bcdf2aa172bd4923c79a2c4e51d8e"
 						},
 						{
 							"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874",
 							"method": "GET",
 							"param": "aa9bcdf2aa172bd4923c79a2c4e51d8e",
 							"attack": "",
-							"evidence": "91b4b9f0094d29c6d90e0a9f089570dd",
+							"evidence": "f40fa87843e0b7a9121e6f431faf1bd2",
 							"otherinfo": "\ncookie:aa9bcdf2aa172bd4923c79a2c4e51d8e"
 						}
 					],
@@ -628,7 +655,7 @@
 					"reference": "<p>https://owasp.org/wstg</p>",
 					"cweid": "0",
 					"wascid": "0",
-					"sourceid": "569"
+					"sourceid": "535"
 				}
 			]
 		}

diff --git a/report_md.md b/report_md.md
@@ -6,7 +6,7 @@
 | Risk Level | Number of Alerts |
 | --- | --- |
 | High | 0 |
-| Medium | 3 |
+| Medium | 4 |
 | Low | 5 |
 | Informational | 7 |
 
@@ -19,6 +19,7 @@
 | --- | --- | --- |
 | CSP: Wildcard Directive | Medium | 1 |
 | Content Security Policy (CSP) Header Not Set | Medium | 4 |
+| Missing Anti-clickjacking Header | Medium | 1 |
 | Proxy Disclosure | Medium | 2 |
 | Cookie with SameSite Attribute None | Low | 1 |
 | Permissions Policy Header Not Set | Low | 4 |
@@ -132,6 +133,42 @@ Ensure that your web server, application server, load balancer, etc. is configur
 #### CWE Id: [ 693 ](https://cwe.mitre.org/data/definitions/693.html)
 
 
+#### WASC Id: 15
+
+#### Source ID: 3
+
+### [ Missing Anti-clickjacking Header ](https://www.zaproxy.org/docs/alerts/10020/)
+
+
+
+##### Medium (Medium)
+
+### Description
+
+The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
+
+* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874/
+  * Method: `GET`
+  * Parameter: `x-frame-options`
+  * Attack: ``
+  * Evidence: ``
+
+Instances: 1
+
+### Solution
+
+Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+
+### Reference
+
+
+* [ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
+
+
+#### CWE Id: [ 1021 ](https://cwe.mitre.org/data/definitions/1021.html)
+
+
 #### WASC Id: 15
 
 #### Source ID: 3
@@ -587,12 +624,12 @@ The given response has been identified as containing a session management token.
   * Method: `GET`
   * Parameter: `aa9bcdf2aa172bd4923c79a2c4e51d8e`
   * Attack: ``
-  * Evidence: `91b4b9f0094d29c6d90e0a9f089570dd`
+  * Evidence: `f40fa87843e0b7a9121e6f431faf1bd2`
 * URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-874
   * Method: `GET`
   * Parameter: `aa9bcdf2aa172bd4923c79a2c4e51d8e`
   * Attack: ``
-  * Evidence: `91b4b9f0094d29c6d90e0a9f089570dd`
+  * Evidence: `f40fa87843e0b7a9121e6f431faf1bd2`
 
 Instances: 2