Deploying to zap-scan from @ 9a63ecd 🚀

bcgov · Jul 18, 2023 · 8f42bd2 · 8f42bd2
1 parent 64e25af
commit 8f42bd2
Show file tree

Hide file tree

Showing 3 changed files with 168 additions and 17 deletions.
diff --git a/report_html.html b/report_html.html
@@ -127,7 +127,7 @@ <h2>
 	</h2>
 
 	<h3>
-		Generated on Tue, 18 Jul 2023 22:23:27
+		Generated on Tue, 18 Jul 2023 22:52:47
 	</h3>
 
 	<h3>
@@ -156,7 +156,7 @@ <h3 class="left-header">Summary of Alerts</h3>
 					<div>Medium</div>
 				</td>
 				<td align="center">
-					<div>3</div>
+					<div>4</div>
 				</td>
 			</tr>
 			<tr>
@@ -207,6 +207,11 @@ <h3>Alerts</h3>
 				<td align="center" class="risk-2">Medium</td>
 				<td align="center">4</td>
 			</tr>
+			<tr>
+				<td><a href="#10020">Missing Anti-clickjacking Header</a></td>
+				<td align="center" class="risk-2">Medium</td>
+				<td align="center">1</td>
+			</tr>
 			<tr>
 				<td><a href="#40025">Proxy Disclosure</a></td>
 				<td align="center" class="risk-2">Medium</td>
@@ -548,6 +553,88 @@ <h3>Alert Detail</h3>
 			</table>
 			<div class="spacer"></div>
 
+			<table class="results">
+				<tr height="24">
+					<th width="20%" class="risk-2"><a
+						id="10020"></a>
+						<div>Medium</div></th>
+					<th class="risk-2">Missing Anti-clickjacking Header</th>
+				</tr>
+				<tr>
+					<td width="20%">Description</td>
+					<td width="80%">
+							<div>The response does not include either Content-Security-Policy with &#39;frame-ancestors&#39; directive or X-Frame-Options to protect against &#39;ClickJacking&#39; attacks.</div>
+
+						</td>
+				</tr>
+				<TR vAlign="top">
+					<TD colspan="2"></TD>
+				</TR>
+
+					<tr>
+						<td width="20%"
+							class="indent1">URL</td>
+						<td width="80%"><a href="https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/">https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/</a></td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Method</td>
+						<td width="80%">GET</td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Parameter</td>
+						<td width="80%">x-frame-options</td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Attack</td>
+						<td width="80%"></td>
+					</tr>
+					<tr>
+						<td width="20%"
+							class="indent2">Evidence</td>
+						<td width="80%"></td>
+					</tr>
+
+				<tr>
+					<td width="20%">Instances</td>
+					<td width="80%">1</td>
+				</tr>
+				<tr>
+					<td width="20%">Solution</td>
+					<td width="80%">
+							<div>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</div>
+							<br />
+
+							<div>If you expect the page to be framed only by pages on your server (e.g. it&#39;s part of a FRAMESET) then you&#39;ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy&#39;s &quot;frame-ancestors&quot; directive.</div>
+
+						</td>
+				</tr>
+				<tr>
+					<td width="20%">Reference</td>
+					<td width="80%">
+							<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</a>
+
+						</td>
+				</tr>
+				<tr>
+					<td width="20%">CWE Id</td>
+					<td width="80%"><a
+						href="https://cwe.mitre.org/data/definitions/1021.html">1021</a></td>
+				</tr>
+				<tr>
+					<td width="20%">WASC Id</td>
+					<td width="80%">15</td>
+				</tr>
+				<tr>
+					<td width="20%">Plugin Id</td>
+					<td width="80%"><a
+						href="https://www.zaproxy.org/docs/alerts/10020/">10020</a></td>
+				</tr>
+			</table>
+			<div class="spacer"></div>
+
 			<table class="results">
 				<tr height="24">
 					<th width="20%" class="risk-2"><a
@@ -1780,7 +1867,7 @@ <h3>Alert Detail</h3>
 					<tr>
 						<td width="20%"
 							class="indent2">Evidence</td>
-						<td width="80%">de147619b81e9ae8785783513c0a433a</td>
+						<td width="80%">6935920bea02d205f08912af8f9f9c1e</td>
 					</tr>
 
 					<tr>
@@ -1806,7 +1893,7 @@ <h3>Alert Detail</h3>
 					<tr>
 						<td width="20%"
 							class="indent2">Evidence</td>
-						<td width="80%">de147619b81e9ae8785783513c0a433a</td>
+						<td width="80%">6935920bea02d205f08912af8f9f9c1e</td>
 					</tr>
 
 				<tr>

diff --git a/report_json.json b/report_json.json
@@ -1,7 +1,7 @@
 {
 	"@programName": "OWASP ZAP",
 	"@version": "2.13.0",
-	"@generated": "Tue, 18 Jul 2023 22:23:27",
+	"@generated": "Tue, 18 Jul 2023 22:52:47",
 	"site":[ 
 		{
 			"@name": "https://chefs-dev.apps.silver.devops.gov.bc.ca",
@@ -85,7 +85,34 @@
 					"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</p><p>http://www.w3.org/TR/CSP/</p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html</p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/</p><p>http://caniuse.com/#feat=contentsecuritypolicy</p><p>http://content-security-policy.com/</p>",
 					"cweid": "693",
 					"wascid": "15",
-					"sourceid": "9"
+					"sourceid": "8"
+				},
+				{
+					"pluginid": "10020",
+					"alertRef": "10020-1",
+					"alert": "Missing Anti-clickjacking Header",
+					"name": "Missing Anti-clickjacking Header",
+					"riskcode": "2",
+					"confidence": "2",
+					"riskdesc": "Medium (Medium)",
+					"desc": "<p>The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.</p>",
+					"instances":[ 
+						{
+							"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/",
+							"method": "GET",
+							"param": "x-frame-options",
+							"attack": "",
+							"evidence": "",
+							"otherinfo": ""
+						}
+					],
+					"count": "1",
+					"solution": "<p>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</p><p>If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's \"frame-ancestors\" directive.</p>",
+					"otherinfo": "",
+					"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</p>",
+					"cweid": "1021",
+					"wascid": "15",
+					"sourceid": "3"
 				},
 				{
 					"pluginid": "40025",
@@ -120,7 +147,7 @@
 					"reference": "<p>https://tools.ietf.org/html/rfc7231#section-5.1.2</p>",
 					"cweid": "200",
 					"wascid": "45",
-					"sourceid": "608"
+					"sourceid": "588"
 				},
 				{
 					"pluginid": "10054",
@@ -198,7 +225,7 @@
 					"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy</p><p>https://developers.google.com/web/updates/2018/06/feature-policy</p><p>https://scotthelme.co.uk/a-new-security-header-feature-policy/</p><p>https://w3c.github.io/webappsec-feature-policy/</p><p>https://www.smashingmagazine.com/2018/12/feature-policy/</p>",
 					"cweid": "693",
 					"wascid": "15",
-					"sourceid": "9"
+					"sourceid": "8"
 				},
 				{
 					"pluginid": "10037",
@@ -284,7 +311,7 @@
 					"reference": "<p>https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</p><p>https://owasp.org/www-community/Security_Headers</p><p>http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</p><p>http://caniuse.com/stricttransportsecurity</p><p>http://tools.ietf.org/html/rfc6797</p>",
 					"cweid": "319",
 					"wascid": "15",
-					"sourceid": "9"
+					"sourceid": "8"
 				},
 				{
 					"pluginid": "10021",
@@ -346,7 +373,7 @@
 					"reference": "<p>http://projects.webappsec.org/Fingerprinting</p><p></p>",
 					"cweid": "200",
 					"wascid": "45",
-					"sourceid": "713"
+					"sourceid": "692"
 				},
 				{
 					"pluginid": "10109",
@@ -424,7 +451,7 @@
 					"reference": "<p>https://tools.ietf.org/html/rfc7234</p><p>https://tools.ietf.org/html/rfc7231</p><p>http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)</p>",
 					"cweid": "524",
 					"wascid": "13",
-					"sourceid": "9"
+					"sourceid": "8"
 				},
 				{
 					"pluginid": "10015",
@@ -468,15 +495,15 @@
 							"method": "GET",
 							"param": "fc01c8a3cd4d44217c0955933da80179",
 							"attack": "",
-							"evidence": "de147619b81e9ae8785783513c0a433a",
+							"evidence": "6935920bea02d205f08912af8f9f9c1e",
 							"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
 						},
 						{
 							"uri": "https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833",
 							"method": "GET",
 							"param": "fc01c8a3cd4d44217c0955933da80179",
 							"attack": "",
-							"evidence": "de147619b81e9ae8785783513c0a433a",
+							"evidence": "6935920bea02d205f08912af8f9f9c1e",
 							"otherinfo": "\ncookie:fc01c8a3cd4d44217c0955933da80179"
 						}
 					],
@@ -628,7 +655,7 @@
 					"reference": "<p>https://owasp.org/wstg</p>",
 					"cweid": "0",
 					"wascid": "0",
-					"sourceid": "376"
+					"sourceid": "355"
 				}
 			]
 		}

diff --git a/report_md.md b/report_md.md
@@ -6,7 +6,7 @@
 | Risk Level | Number of Alerts |
 | --- | --- |
 | High | 0 |
-| Medium | 3 |
+| Medium | 4 |
 | Low | 5 |
 | Informational | 7 |
 
@@ -19,6 +19,7 @@
 | --- | --- | --- |
 | CSP: Wildcard Directive | Medium | 1 |
 | Content Security Policy (CSP) Header Not Set | Medium | 4 |
+| Missing Anti-clickjacking Header | Medium | 1 |
 | Proxy Disclosure | Medium | 2 |
 | Cookie with SameSite Attribute None | Low | 1 |
 | Permissions Policy Header Not Set | Low | 4 |
@@ -132,6 +133,42 @@ Ensure that your web server, application server, load balancer, etc. is configur
 #### CWE Id: [ 693 ](https://cwe.mitre.org/data/definitions/693.html)
 
 
+#### WASC Id: 15
+
+#### Source ID: 3
+
+### [ Missing Anti-clickjacking Header ](https://www.zaproxy.org/docs/alerts/10020/)
+
+
+
+##### Medium (Medium)
+
+### Description
+
+The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
+
+* URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833/
+  * Method: `GET`
+  * Parameter: `x-frame-options`
+  * Attack: ``
+  * Evidence: ``
+
+Instances: 1
+
+### Solution
+
+Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+
+### Reference
+
+
+* [ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
+
+
+#### CWE Id: [ 1021 ](https://cwe.mitre.org/data/definitions/1021.html)
+
+
 #### WASC Id: 15
 
 #### Source ID: 3
@@ -587,12 +624,12 @@ The given response has been identified as containing a session management token.
   * Method: `GET`
   * Parameter: `fc01c8a3cd4d44217c0955933da80179`
   * Attack: ``
-  * Evidence: `de147619b81e9ae8785783513c0a433a`
+  * Evidence: `6935920bea02d205f08912af8f9f9c1e`
 * URL: https://chefs-dev.apps.silver.devops.gov.bc.ca/pr-833
   * Method: `GET`
   * Parameter: `fc01c8a3cd4d44217c0955933da80179`
   * Attack: ``
-  * Evidence: `de147619b81e9ae8785783513c0a433a`
+  * Evidence: `6935920bea02d205f08912af8f9f9c1e`
 
 Instances: 2