ZAP
What is ZAP?
The zap-advanced
and zap
ScanType are being deprecated in favor of the zap-automation-framework
, which encompasses all functionalities of the previous ScanTypes. We recommend transitioning to "zap-automation-framework". This change will take effect in the upcoming release cycle. For guidance on migrating to "zap-automation-framework," please refer to here.
The Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
To learn more about the ZAP scanner itself visit https://www.zaproxy.org/. To learn more about the ZAP Automation Framework itself visit https://www.zaproxy.org/docs/desktop/addons/automation-framework/.
Deployment
The zap chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install zap oci://ghcr.io/securecodebox/helm/zap
Scanner Configuration
The following security scan configuration example are based on the ZAP Docker Scan Scripts. By default, the secureCodeBox ZAP Helm Chart installs all four ZAP scripts: zap-baseline
, zap-full-scan
, zap-api-scan
& zap-automation-scan
. Listed below are the arguments supported by the zap-baseline
script, which are mostly interchangeable with the other ZAP scripts (except for zap-automation-scan
). For a more complete reference check out the ZAP Documentation and the secureCodeBox based ZAP examples listed below.
The command line interface can be used to easily run server scans: -t www.example.com
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-h print this help message
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-I do not return failure on warning
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
--hook path to python file that define your custom hooks
ZAP Automation Scanner Configuration
The Automation Framework allows for higher flexibility in configuring ZAP scans. Its goal is the automation of the full functionality of ZAP's GUI. The configuration of the Automation Framework differs from the other three ZAP scan types. The following security scan configuration example highlights the differences for running a zap-automation-scan
.
Of particular interest for us will be the -autorun option. zap-automation-scan
allows for providing an automation file as a ConfigMap that defines the details of the scan. See the secureCodeBox based ZAP Automation example listed below for what such a ConfigMap would look like.
Usage: zap.sh -cmd -host <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Add-on options:
-script <script> Run the specified script from commandline or load in GUI
-addoninstall <addOnId> Installs the add-on with specified ID from the ZAP Marketplace
-addoninstallall Install all available add-ons from the ZAP Marketplace
-addonuninstall <addOnId> Uninstalls the Add-on with specified ID
-addonupdate Update all changed add-ons from the ZAP Marketplace
-addonlist List all of the installed add-ons
-certload <path> Loads the Root CA certificate from the specified file name
-certpubdump <path> Dumps the Root CA public certificate into the specified file name, this is suitable for importing into browsers
-certfulldump <path> Dumps the Root CA full certificate (including the private key) into the specified file name, this is suitable for importing into ZAP
-notel Turns off telemetry calls
-hud Launches a browser configured to proxy through ZAP with the HUD enabled, for use in daemon mode
-hudurl <url> Launches a browser as per the -hud option with the specified URL
-hudbrowser <browser> Launches a browser as per the -hud option with the specified browser, supported options: Chrome, Firefox by default 'Firefox'
-openapifile <path> Imports an OpenAPI definition from the specified file name
-openapiurl <url> Imports an OpenAPI definition from the specified URL
-openapitargeturl <url> The Target URL, to override the server URL present in the OpenAPI definition. Refer to the help for supported format.
-quickurl <target url> The URL to attack, e.g. http://www.example.com
-quickout <filename> The file to write the HTML/JSON/MD/XML results to (based on the file extension)
-autorun <filename> Run the automation jobs specified in the file.
-autogenmin <filename> Generate template automation file with the key parameters.
-autogenmax <filename> Generate template automation file with all parameters.
-autogenconf <filename> Generate template automation file using the current configuration.
-graphqlfile <path> Imports a GraphQL Schema from a File
-graphqlurl <url> Imports a GraphQL Schema from a URL
-graphqlendurl <url> Sets the Endpoint URL
Requirements
Kubernetes: >=v1.11.0-0
The secureCodeBox provides two different scanner charts (zap
, zap-advanced
) to automate ZAP WebApplication security scans. The first one zap
comes with four scanTypes:
zap-baseline-scan
zap-full-scan
zap-api-scan
zap-automation-scan
The scanTypes zap-baseline-scan
, zap-full-scan
& zap-api-scan
can be configured via CLI arguments which are somehow a bit limited for some advanced usecases, e.g. using custom zap scripts or configuring complex authentication settings.
That's why we introduced this zap-advanced
scanner chart, which introduces extensive YAML configuration options for ZAP. The YAML configuration can be split in multiple files and will be merged at start.
ZAP's own Automation Framework provides similar functionality to the zap-advanced
scanner chart and is set to displace it in the future.
ZAP Automation Configuration
The ZAP Automation Scanner supports the use of secrets, as to not have hardcoded credentials in the scan definition. Generate secrets using the credentials that will later be used in the scan for authentication. Supported authentication methods for the ZAP Authentication scanner are Manual, HTTP / NTLM, Form-based, JSON-based, and Script-based.
kubectl create secret generic unamesecret --from-literal='username=<USERNAME>'
kubectl create secret generic pwordsecret --from-literal='password=<PASSWORD>'
You can now include the secrets in the scan definition and reference them in the ConfigMap that defines the scan options. A ZAP Automation scan using JSON-based authentication may look like this:
apiVersion: v1
kind: ConfigMap
metadata:
name: "zap-automation-scan-config"
data:
1-automation.yaml: |-
env: # The environment, mandatory
contexts: # List of 1 or more contexts, mandatory
- name: test-config # Name to be used to refer to this context in other jobs, mandatory
urls: ["http://juiceshop.demo-targets.svc:3000"] # A mandatory list of top level urls, everything under each url will be included
includePaths:
- "http://juiceshop.demo-targets.svc:3000/.*" # An optional list of regexes to include
excludePaths:
- ".*socket\\.io.*"
- ".*\\.png"
- ".*\\.jpeg"
- ".*\\.jpg"
- ".*\\.woff"
- ".*\\.woff2"
- ".*\\.ttf"
- ".*\\.ico"
authentication:
method: "json"
parameters:
loginPageUrl: "http://juiceshop.demo-targets.svc:3000/rest/user"
loginRequestUrl: "http://juiceshop.demo-targets.svc:3000/rest/user/login"
loginRequestBody: '{"email":"${EMAIL}","password":"${PASS}"}'
verification:
method: "response"
loggedOutRegex: '\Q{"user":{}}\E'
loggedInRegex: '\Q<a href="password.jsp">\E'
users:
- name: "juiceshop-user-1"
credentials:
username: "${EMAIL}"
password: "${PASS}"
parameters:
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout
jobs:
- type: passiveScan-config # Passive scan configuration
parameters:
maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: test-config # String: Name of the context to spider, default: first context
user: juiceshop-user-1 # String: An optional user to use for authentication, must be defined in the env
maxDuration: 2 # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
- type: spiderAjax # The ajax spider - slower than the spider but handles modern apps well
parameters:
context: test-config # String: Name of the context to spider, default: first context
maxDuration: 2 # Int: The max time in minutes the ajax spider will be allowed to run for, default: 0 unlimited
- type: passiveScan-wait # Passive scan wait for the passive scanner to finish
parameters:
maxDuration: 10 # Int: The max time to wait for the passive scanner, default: 0 unlimited
- type: report # Report generation
parameters:
template: traditional-xml # String: The template id, default : modern
reportDir: /home/securecodebox/ # String: The directory into which the report will be written
reportFile: zap-results # String: The report file name pattern, default: [[yyyy-MM-dd]]-ZAP-Report-[[site]]
risks: # List: The risks to include in this report, default all
- high
- medium
- low
---
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-example-scan"
spec:
scanType: "zap-automation-scan"
parameters:
- "-autorun"
- "/home/securecodebox/scb-automation/1-automation.yaml"
volumeMounts:
- mountPath: /home/securecodebox/scb-automation/1-automation.yaml
name: zap-automation
subPath: 1-automation.yaml
volumes:
- name: zap-automation
configMap:
name: zap-automation-scan-config
env:
- name: EMAIL
valueFrom:
secretKeyRef:
name: unamesecret
key: username
- name: PASS
valueFrom:
secretKeyRef:
name: pwordsecret
key: password
For a complete overview of all the possible options you have for configuring a ZAP Automation scan, run
./zap.sh -cmd -autogenmax zap.yaml
For an overview of all required configuration options, run
bash ./zap.sh -cmd -autogenmin zap.yaml
Alternatively, have a look at the official documentation.
Values
Key | Type | Default | Description |
---|---|---|---|
cascadingRules.enabled | bool | false | Enables or disables the installation of the default cascading rules for this scanner |
imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) |
parser.affinity | object | {} | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
parser.env | list | [] | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
parser.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
parser.image.repository | string | "docker.io/securecodebox/parser-zap" | Parser image repository |
parser.image.tag | string | defaults to the charts version | Parser image tag |
parser.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) |
parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
parser.scopeLimiterAliases | object | {} | Optional finding aliases to be used in the scopeLimiter. |
parser.tolerations | list | [] | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
parser.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
scanner.activeDeadlineSeconds | string | nil | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) |
scanner.affinity | object | {} | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) |
scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
scanner.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
scanner.envFrom | list | [] | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) |
scanner.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
scanner.extraVolumeMounts | list | [{"mountPath":"/zap/wrk","name":"zap-workdir"}] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.extraVolumes | list | [{"emptyDir":{},"name":"zap-workdir"}] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
scanner.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
scanner.image.repository | string | "softwaresecurityproject/zap-stable" | Container Image to run the scan |
scanner.image.tag | string | nil | defaults to the charts appVersion |
scanner.nameAppend | string | nil | append a string to the default scantype name. |
scanner.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) |
scanner.podSecurityContext | object | {} | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
scanner.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
scanner.securityContext.allowPrivilegeEscalation | bool | false | Ensure that users privileges cannot be escalated |
scanner.securityContext.capabilities.drop[0] | string | "all" | This drops all linux privileges from the container. |
scanner.securityContext.privileged | bool | false | Ensures that the scanner container is not run in privileged mode |
scanner.securityContext.readOnlyRootFilesystem | bool | false | Prevents write access to the containers file system |
scanner.securityContext.runAsNonRoot | bool | false | Enforces that the scanner image is run as a non root user |
scanner.suspend | bool | false | if set to true the scan job will be suspended after creation. You can then resume the job using kubectl resume <jobname> or using a job scheduler like kueue |
scanner.tolerations | list | [] | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
scanner.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
License
Code of secureCodeBox is licensed under the Apache License 2.0.
CPU architectures
The scanner is currently supported for these CPU architectures:
- linux/amd64
- linux/arm64
Examples
demo-bodgeit-baseline-scan
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-baseline-scan-bodgeit"
spec:
scanType: "zap-baseline-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://bodgeit.demo-targets.svc:8080"
# show debug messages
- "-d"
# the number of minutes to spider for (default 1)
- "-m"
- "2"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[
{
"name": "Content Security Policy (CSP) Header Not Set",
"description": "Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.",
"category": "Content Security Policy (CSP) Header Not Set",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "298",
"zap_solution": 'Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.',
"zap_otherinfo": null,
"zap_reference": "https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policyhttps://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.htmlhttp://www.w3.org/TR/CSP/http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.htmlhttp://www.html5rocks.com/en/tutorials/security/content-security-policy/http://caniuse.com/#feat=contentsecuritypolicyhttp://content-security-policy.com/",
"zap_cweid": "16",
"zap_wascid": "15",
"zap_riskcode": "1",
"zap_pluginid": "10038",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/valve.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/panel.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/loader.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/connectors.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/HelloWorldSimpleTag.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/apr.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/introduction.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/listeners.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "POST",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/class-loader-howto.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "POST",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/textRotate.jspx.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/helloworld.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/security-howto.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jasper-howto.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/misc/config.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-interceptor.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/index.html",
"method": "GET",
},
],
},
"id": "7e32d4f4-97e2-4d72-8aaf-cd3170096b85",
},
{
"name": "X-Frame-Options Header Not Set",
"description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.",
"category": "X-Frame-Options Header Not Set",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "280",
"zap_solution": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
"zap_otherinfo": null,
"zap_reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"zap_cweid": "16",
"zap_wascid": "15",
"zap_riskcode": "2",
"zap_pluginid": "10020",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/rewrite.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/mbean-names.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/faq.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/include/include.jsp.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/automatic-deployment.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colors.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/hello.jsp",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.jsp.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/index.xhtml",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cluster-howto.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/echo.xhtml",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/simpletag/foo.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/Functions.java.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.jsp",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/interceptors.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-jndi-realm.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/dates/date.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestHeaderExample",
"method": "GET",
"param": "X-Frame-Options",
},
],
},
"id": "81e0f441-e995-415e-a2fb-3888029538d3",
},
{
"name": 'Server Leaks Version Information via "Server" HTTP Response Header Field',
"description": 'The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.',
"category": 'Server Leaks Version Information via "Server" HTTP Response Header Field',
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "3",
"zap_count": "337",
"zap_solution": 'Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.',
"zap_otherinfo": null,
"zap_reference": "http://httpd.apache.org/docs/current/mod/core.html#servertokenshttp://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspxhttp://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html",
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "10036",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/filter.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal2.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/index.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/book.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-comparisons.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/http.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/developers.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/maven-jars.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/service.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/mbeans-descriptors-howto.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/chat.xhtml",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Host.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/functions.jsp.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/foreach.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-objects.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
],
},
"id": "bbd6f2df-c5b0-4f0e-aeed-11936f32b826",
},
{
"name": "Timestamp Disclosure - Unix",
"description": "A timestamp was disclosed by the application/web server - Unix",
"category": "Timestamp Disclosure - Unix",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "1",
"zap_count": "51",
"zap_solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.",
"zap_otherinfo": "0000000039, which evaluates to: 1970-01-01 00:00:39",
"zap_reference": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage",
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "0",
"zap_pluginid": "10096",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000039",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000008",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000014963",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000018373",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "20100101",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000018",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000005503",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000026",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000015294",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000016347",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000002280",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000043589",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000015448",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000007734",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000010013",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/manager-howto.html",
"method": "GET",
"evidence": "46800300",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000005214",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000043442",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000005368",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000301",
},
],
},
"id": "322a8f55-aac1-4e2b-8ef5-1da7c9f89497",
},
{
"name": "Reverse Tabnabbing",
"description": 'At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page.',
"category": "Reverse Tabnabbing",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "102",
"zap_solution": 'Do not use a target attribute, or if you have to then also add the attribute: rel="noopener noreferrer".',
"zap_otherinfo": null,
"zap_reference": "https://owasp.org/www-community/attacks/Reverse_Tabnabbinghttps://dev.to/ben/the-targetblank-vulnerability-by-examplehttps://mathiasbynens.github.io/rel-noopener/https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c",
"zap_cweid": null,
"zap_wascid": null,
"zap_riskcode": "2",
"zap_pluginid": "10108",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/class-loader-howto.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/virtual-hosting-howto.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-valve.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/windows-service-howto.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-manager.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/apr.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/connectors.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/security-howto.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-channel.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jasper-howto.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/transport.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/status.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/processes.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/realm.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/index.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/building.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="./images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/introduction.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/systemprops.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/membership.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-deployer.html",
"method": "GET",
"evidence": '<a href="http://www.apache.org/" target="_blank"><img src="../images/asf-feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>',
},
],
},
"id": "3c92d43d-c321-47bc-a75d-8823cb69a4b9",
},
{
"name": "X-Content-Type-Options Header Missing",
"description": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.",
"category": "X-Content-Type-Options Header Missing",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "316",
"zap_solution": "Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.",
"zap_otherinfo": 'This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.At "High" threshold this scanner will not alert on client or server error responses.',
"zap_reference": "http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspxhttps://owasp.org/www-community/Security_Headers",
"zap_cweid": "16",
"zap_wascid": "15",
"zap_riskcode": "1",
"zap_pluginid": "10021",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/automatic-deployment.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/mbean-names.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/include/include.jsp.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/rewrite.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/tomcat.png",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colors.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/images/asf-feather.png",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/introduction.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/faq.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/servletapi/index.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/misc/dynamicattrs.jsp.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/building.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.jsp.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/code.gif",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-receiver.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/deployer-howto.html",
"method": "GET",
"param": "X-Content-Type-Options",
},
],
},
"id": "8843596f-ab70-4385-ad6d-604677c9014f",
},
{
"name": "Absence of Anti-CSRF Tokens",
"description": "No Anti-CSRF tokens were found in a HTML submission form.A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site.CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
"category": "Absence of Anti-CSRF Tokens",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "29",
"zap_solution": "Phase: Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.Phase: ImplementationEnsure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).Note that this can be bypassed using XSS.Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.Note that this can be bypassed using XSS.Use the ESAPI Session Management control.This control includes a component for CSRF.Do not use the GET method for any request that triggers a state change.Phase: ImplementationCheck the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.",
"zap_otherinfo": 'No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: "guess" ].',
"zap_reference": "http://projects.webappsec.org/Cross-Site-Request-Forgeryhttp://cwe.mitre.org/data/definitions/352.html",
"zap_cweid": "352",
"zap_wascid": "9",
"zap_riskcode": "1",
"zap_pluginid": "10202",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp",
"method": "GET",
"evidence": "<form method=get>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample?dataname=foo&datavalue=bar",
"method": "GET",
"evidence": '<form action="SessionExample" method=GET>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal1.jsp?action=Submit&email=ZAP&name=ZAP",
"method": "GET",
"evidence": "<FORM METHOD=POST ACTION=cal1.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"evidence": '<form action="CookieExample" method=POST>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": '<form action="SessionExample" method=GET>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample?dataname=ZAP&datavalue=ZAP",
"method": "GET",
"evidence": '<form action="SessionExample" method=GET>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/check.html",
"method": "GET",
"evidence": "<FORM TYPE=POST ACTION=checkresult.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/error.html",
"method": "GET",
"evidence": "<form method=get action=err.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=add",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar",
"method": "GET",
"evidence": '<form action="implicit-objects.jsp" method="GET">',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"evidence": '<form method="POST" action=''j_security_check'' >',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "POST",
"evidence": '<form action="RequestParamExample" method=POST>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/functions.jsp?foo=JSP+2.0",
"method": "GET",
"evidence": '<form action="functions.jsp" method="GET">',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/nonblocking/bytecounter.html",
"method": "GET",
"evidence": '<form method="POST" enctype="multipart/form-data" action="bytecounter" >',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colors.html",
"method": "GET",
"evidence": "<form method=GET action=colrs.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": '<form action="SessionExample" method=POST>',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/login.html",
"method": "GET",
"evidence": "<form method=GET action=cal1.jsp>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp?guess=ZAP",
"method": "GET",
"evidence": "<form method=get>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>",
},
],
},
"id": "7e0751eb-ae31-4686-b0b5-53df0e00ea4b",
},
{
"name": "User Controllable HTML Element Attribute (Potential XSS)",
"description": "This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.",
"category": "User Controllable HTML Element Attribute (Potential XSS)",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "1",
"zap_count": "7",
"zap_solution": "Validate all input and sanitize output it before writing to any HTML attributes.",
"zap_otherinfo": "User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Hint&color1=ZAP&color2=ZAPappears to include user input in: a(n) [input] tag [value] attribute The user input found was:action=HintThe user-controlled value was:hint",
"zap_reference": "http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-html-attribute",
"zap_cweid": "20",
"zap_wascid": "20",
"zap_riskcode": "0",
"zap_pluginid": "10031",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Hint&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Submit&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/functions.jsp?foo=JSP+2.0",
"method": "GET",
"param": "foo",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar",
"method": "GET",
"param": "foo",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET",
"param": "submit",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Submit&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=add",
"method": "GET",
"param": "submit",
},
],
},
"id": "1139b86b-5eb2-4ef9-b5f3-24beeedafbf2",
},
{
"name": "Private IP Disclosure",
"description": "A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.",
"category": "Private IP Disclosure",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "4",
"zap_solution": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.",
"zap_otherinfo": "10.1.20.26",
"zap_reference": "https://tools.ietf.org/html/rfc1918",
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "2",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestInfoExample",
"method": "GET",
"evidence": "10.1.20.26",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "10.1.20.26",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/filter.html",
"method": "GET",
"evidence": "192.168.0.10",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/monitoring.html",
"method": "GET",
"evidence": "192.168.1.75",
},
],
},
"id": "32b8e793-7258-4e6b-bc60-f13ab05dc489",
},
{
"name": "Application Error Disclosure",
"description": "This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.",
"category": "Application Error Disclosure",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "5",
"zap_solution": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.",
"zap_otherinfo": null,
"zap_reference": null,
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "2",
"zap_pluginid": "90022",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-resources-howto.html",
"method": "GET",
"evidence": "JDBC Driver",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/manager-howto.html",
"method": "GET",
"evidence": "java.lang.NumberFormatException: For input string:",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-datasource-examples-howto.html",
"method": "GET",
"evidence": "JDBC Driver",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/listeners.html",
"method": "GET",
"evidence": "JDBC Driver",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/valve.html",
"method": "GET",
"evidence": "Error Report",
},
],
},
"id": "13184616-ff12-4785-8c31-1c9d9d11942a",
},
{
"name": "Modern Web Application",
"description": "The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.",
"category": "Modern Web Application",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "4",
"zap_solution": "This is an informational alert and so no changes are required.",
"zap_otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application.",
"zap_reference": null,
"zap_cweid": null,
"zap_wascid": null,
"zap_riskcode": "0",
"zap_pluginid": "10109",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/echo.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var ws = null;\n\n function setConnected(connected) {\n document.getElementById('connect').disabled = connected;\n document.getElementById('disconnect').disabled = !connected;\n document.getElementById('echo').disabled = !connected;\n }\n\n function connect() {\n var target = document.getElementById('target').value;\n if (target == '') {\n alert('Please select server side connection implementation.');\n return;\n }\n if ('WebSocket' in window) {\n ws = new WebSocket(target);\n } else if ('MozWebSocket' in window) {\n ws = new MozWebSocket(target);\n } else {\n alert('WebSocket is not supported by this browser.');\n return;\n }\n ws.onopen = function () {\n setConnected(true);\n log('Info: WebSocket connection opened.');\n };\n ws.onmessage = function (event) {\n log('Received: ' + event.data);\n };\n ws.onclose = function (event) {\n setConnected(false);\n log('Info: WebSocket connection closed, Code: ' + event.code + (event.reason == \"\" ? \"\" : \", Reason: \" + event.reason));\n };\n }\n\n function disconnect() {\n if (ws != null) {\n ws.close();\n ws = null;\n }\n setConnected(false);\n }\n\n function echo() {\n if (ws != null) {\n var message = document.getElementById('message').value;\n log('Sent: ' + message);\n ws.send(message);\n } else {\n alert('WebSocket connection not established, please connect.');\n }\n }\n\n function updateTarget(target) {\n if (window.location.protocol == 'http:') {\n document.getElementById('target').value = 'ws://' + window.location.host + target;\n } else {\n document.getElementById('target').value = 'wss://' + window.location.host + target;\n }\n }\n\n function log(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.appendChild(document.createTextNode(message));\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n }\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n ]]></script>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/drawboard.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n (function() {\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not\n // allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n\n // Add script for expand content.\n var expandElements = document.getElementsByClassName(\"expand\");\n for (var ixx = 0; ixx < expandElements.length; ixx++) {\n (function(el) {\n var expandContent = document.getElementById(el.getAttribute(\"data-content-id\"));\n expandContent.style.display = \"none\";\n var arrow = document.createTextNode(\"◢ \");\n var arrowSpan = document.createElement(\"span\");\n arrowSpan.appendChild(arrow);\n\n var link = document.createElement(\"a\");\n link.setAttribute(\"href\", \"#!\");\n while (el.firstChild != null) {\n link.appendChild(el.removeChild(el.firstChild));\n }\n el.appendChild(arrowSpan);\n el.appendChild(link);\n\n var textSpan = document.createElement(\"span\");\n textSpan.setAttribute(\"style\", \"font-weight: normal;\");\n textSpan.appendChild(document.createTextNode(\" (click to expand)\"));\n el.appendChild(textSpan);\n\n\n var visible = true;\n\n var switchExpand = function() {\n visible = !visible;\n expandContent.style.display = visible ? \"block\" : \"none\";\n arrowSpan.style.color = visible ? \"#000\" : \"#888\";\n return false;\n };\n\n link.onclick = switchExpand;\n switchExpand();\n\n })(expandElements[ixx]);\n }\n\n\n var Console = {};\n\n Console.log = (function() {\n var consoleContainer =\n document.getElementById(\"console-container\");\n var console = document.createElement(\"div\");\n console.setAttribute(\"id\", \"console\");\n consoleContainer.appendChild(console);\n\n return function(message) {\n var p = document.createElement('p');\n p.style.wordWrap = \"break-word\";\n p.appendChild(document.createTextNode(message));\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n }\n })();\n\n\n function Room(drawContainer) {\n\n /* A pausable event forwarder that can be used to pause and\n * resume handling of events (e.g. when we need to wait\n * for a Image's load event before we can process further\n * WebSocket messages).\n * The object's callFunction(func) should be called from an\n * event handler and give the function to handle the event as\n * argument.\n * Call pauseProcessing() to suspend event forwarding and\n * resumeProcessing() to resume it.\n */\n function PausableEventForwarder() {\n\n var pauseProcessing = false;\n // Queue for buffering functions to be called.\n var functionQueue = [];\n\n this.callFunction = function(func) {\n // If message processing is paused, we push it\n // into the queue - otherwise we process it directly.\n if (pauseProcessing) {\n functionQueue.push(func);\n } else {\n func();\n }\n };\n\n this.pauseProcessing = function() {\n pauseProcessing = true;\n };\n\n this.resumeProcessing = function() {\n pauseProcessing = false;\n\n // Process all queued functions until some handler calls\n // pauseProcessing() again.\n while (functionQueue.length > 0 && !pauseProcessing) {\n var func = functionQueue.pop();\n func();\n }\n };\n }\n\n // The WebSocket object.\n var socket;\n // ID of the timer which sends ping messages.\n var pingTimerId;\n\n var isStarted = false;\n var playerCount = 0;\n\n // An array of PathIdContainer objects that the server\n // did not yet handle.\n // They are ordered by id (ascending).\n var pathsNotHandled = [];\n\n var nextMsgId = 1;\n\n var canvasDisplay = document.createElement(\"canvas\");\n var canvasBackground = document.createElement(\"canvas\");\n var canvasServerImage = document.createElement(\"canvas\");\n var canvasArray = [canvasDisplay, canvasBackground,\n canvasServerImage];\n canvasDisplay.addEventListener(\"mousedown\", function(e) {\n // Prevent default mouse event to prevent browsers from marking text\n // (and Chrome from displaying the \"text\" cursor).\n e.preventDefault();\n }, false);\n\n var labelPlayerCount = document.createTextNode(\"0\");\n var optionContainer = document.createElement(\"div\");\n\n\n var canvasDisplayCtx = canvasDisplay.getContext(\"2d\");\n var canvasBackgroundCtx = canvasBackground.getContext(\"2d\");\n var canvasServerImageCtx = canvasServerImage.getContext(\"2d\");\n var canvasMouseMoveHandler;\n var canvasMouseDownHandler;\n\n var isActive = false;\n var mouseInWindow = false;\n var mouseDown = false;\n var currentMouseX = 0, currentMouseY = 0;\n var currentPreviewPath = null;\n\n var availableColors = [];\n var currentColorIndex;\n var colorContainers;\n var previewTransparency = 0.65;\n\n var availableThicknesses = [2, 3, 6, 10, 16, 28, 50];\n var currentThicknessIndex;\n var thicknessContainers;\n\n var availableDrawTypes = [\n { name: \"Brush\", id: 1, continuous: true },\n { name: \"Line\", id: 2, continuous: false },\n { name: \"Rectangle\", id: 3, continuous: false },\n { name: \"Ellipse\", id: 4, continuous: false }\n ];\n var currentDrawTypeIndex;\n var drawTypeContainers;\n\n\n var labelContainer = document.getElementById(\"labelContainer\");\n var placeholder = document.createElement(\"div\");\n placeholder.appendChild(document.createTextNode(\"Loading... \"));\n var progressElem = document.createElement(\"progress\");\n placeholder.appendChild(progressElem);\n\n labelContainer.appendChild(placeholder);\n\n function rgb(color) {\n return \"rgba(\" + color[0] + \",\" + color[1] + \",\"\n + color[2] + \",\" + color[3] + \")\";\n }\n\n function PathIdContainer(path, id) {\n this.path = path;\n this.id = id;\n }\n\n function Path(type, color, thickness, x1, y1, x2, y2, lastInChain) {\n this.type = type;\n this.color = color;\n this.thickness = thickness;\n this.x1 = x1;\n this.y1 = y1;\n this.x2 = x2;\n this.y2 = y2;\n this.lastInChain = lastInChain;\n\n function ellipse(ctx, x, y, w, h) {\n /* Drawing a ellipse cannot be done directly in a\n * CanvasRenderingContext2D - we need to use drawArc()\n * in conjunction with scaling the context so that we\n * get the needed proportion.\n */\n ctx.save();\n\n // Translate and scale the context so that we can draw\n // an arc at (0, 0) with a radius of 1.\n ctx.translate(x + w / 2, y + h / 2);\n ctx.scale(w / 2, h / 2);\n\n ctx.beginPath();\n ctx.arc(0, 0, 1, 0, Math.PI * 2, false);\n\n ctx.restore();\n }\n\n this.draw = function(ctx) {\n ctx.beginPath();\n ctx.lineCap = \"round\";\n ctx.lineWidth = thickness;\n var style = rgb(color);\n ctx.strokeStyle = style;\n\n if (x1 == x2 && y1 == y2) {\n // Always draw as arc to meet the behavior\n // in Java2D.\n ctx.fillStyle = style;\n ctx.arc(x1, y1, thickness / 2.0, 0,\n Math.PI * 2.0, false);\n ctx.fill();\n } else {\n if (type == 1 || type == 2) {\n // Draw a line.\n ctx.moveTo(x1, y1);\n ctx.lineTo(x2, y2);\n ctx.stroke();\n } else if (type == 3) {\n // Draw a rectangle.\n if (x1 == x2 || y1 == y2) {\n // Draw as line\n ctx.moveTo(x1, y1);\n ctx.lineTo(x2, y2);\n ctx.stroke();\n } else {\n ctx.strokeRect(x1, y1, x2 - x1, y2 - y1);\n }\n } else if (type == 4) {\n // Draw a ellipse.\n ellipse(ctx, x1, y1, x2 - x1, y2 - y1);\n ctx.closePath();\n ctx.stroke();\n }\n }\n };\n }\n\n\n function connect() {\n var host = (window.location.protocol == \"https:\"\n ? \"wss://\" : \"ws://\") + window.location.host\n + \"/examples/websocket/drawboard\";\n socket = new WebSocket(host);\n\n /* Use a pausable event forwarder.\n * This is needed when we load an Image object with data\n * from a previous message, because we must wait until the\n * Image's load event it raised before we can use it (and\n * in the meantime the socket.message event could be\n * raised).\n * Therefore we need this pausable event handler to handle\n * e.g. socket.onmessage and socket.onclose.\n */\n var eventForwarder = new PausableEventForwarder();\n\n socket.onopen = function () {\n // Socket has opened. Now wait for the server to\n // send us the initial packet.\n Console.log(\"WebSocket connection opened.\");\n\n // Set up a timer for pong messages.\n pingTimerId = window.setInterval(function() {\n socket.send(\"0\");\n }, 30000);\n };\n\n socket.onclose = function () {\n eventForwarder.callFunction(function() {\n Console.log(\"WebSocket connection closed.\");\n disableControls();\n\n // Disable pong timer.\n window.clearInterval(pingTimerId);\n });\n };\n\n // Handles an incoming Websocket message.\n var handleOnMessage = function(message) {\n\n // Split joined message and process them\n // invidividually.\n var messages = message.data.split(\";\");\n for (var msgArrIdx = 0; msgArrIdx < messages.length;\n msgArrIdx++) {\n var msg = messages[msgArrIdx];\n var type = msg.substring(0, 1);\n\n if (type == \"0\") {\n // Error message.\n var error = msg.substring(1);\n // Log it to the console and show an alert.\n Console.log(\"Error: \" + error);\n alert(error);\n\n } else {\n if (!isStarted) {\n if (type == \"2\") {\n // Initial message. It contains the\n // number of players.\n // After this message we will receive\n // a binary message containing the current\n // room image as PNG.\n playerCount = parseInt(msg.substring(1));\n\n refreshPlayerCount();\n\n // The next message will be a binary\n // message containing the room images\n // as PNG. Therefore we temporarily swap\n // the message handler.\n var originalHandler = handleOnMessage;\n handleOnMessage = function(message) {\n // First, we restore the original handler.\n handleOnMessage = originalHandler;\n\n // Read the image.\n var blob = message.data;\n // Create new blob with correct MIME type.\n blob = new Blob([blob], {type : \"image/png\"});\n\n var url = URL.createObjectURL(blob);\n\n var img = new Image();\n\n // We must wait until the onload event is\n // raised until we can draw the image onto\n // the canvas.\n // Therefore we need to pause the event\n // forwarder until the image is loaded.\n eventForwarder.pauseProcessing();\n\n img.onload = function() {\n\n // Release the object URL.\n URL.revokeObjectURL(url);\n\n // Set the canvases to the correct size.\n for (var i = 0; i < canvasArray.length; i++) {\n canvasArray[i].width = img.width;\n canvasArray[i].height = img.height;\n }\n\n // Now draw the image on the last canvas.\n canvasServerImageCtx.clearRect(0, 0,\n canvasServerImage.width,\n canvasServerImage.height);\n canvasServerImageCtx.drawImage(img, 0, 0);\n\n // Draw it on the background canvas.\n canvasBackgroundCtx.drawImage(canvasServerImage,\n 0, 0);\n\n isStarted = true;\n startControls();\n\n // Refresh the display canvas.\n refreshDisplayCanvas();\n\n\n // Finally, resume the event forwarder.\n eventForwarder.resumeProcessing();\n };\n\n img.src = url;\n };\n }\n } else {\n if (type == \"3\") {\n // The number of players in this room changed.\n var playerAdded = msg.substring(1) == \"+\";\n playerCount += playerAdded ? 1 : -1;\n refreshPlayerCount();\n\n Console.log(\"Player \" + (playerAdded\n ? \"joined.\" : \"left.\"));\n\n } else if (type == \"1\") {\n // We received a new DrawMessage.\n var maxLastHandledId = -1;\n var drawMessages = msg.substring(1).split(\"|\");\n for (var i = 0; i < drawMessages.length; i++) {\n var elements = drawMessages[i].split(\",\");\n var lastHandledId = parseInt(elements[0]);\n maxLastHandledId = Math.max(maxLastHandledId,\n lastHandledId);\n\n var path = new Path(\n parseInt(elements[1]),\n [parseInt(elements[2]),\n parseInt(elements[3]),\n parseInt(elements[4]),\n parseInt(elements[5]) / 255.0],\n parseFloat(elements[6]),\n parseFloat(elements[7]),\n parseFloat(elements[8]),\n parseFloat(elements[9]),\n parseFloat(elements[10]),\n elements[11] != \"0\");\n\n // Draw the path onto the last canvas.\n path.draw(canvasServerImageCtx);\n }\n\n // Draw the last canvas onto the background one.\n canvasBackgroundCtx.drawImage(canvasServerImage,\n 0, 0);\n\n // Now go through the pathsNotHandled array and\n // remove the paths that were already handled by\n // the server.\n while (pathsNotHandled.length > 0\n && pathsNotHandled[0].id <= maxLastHandledId)\n pathsNotHandled.shift();\n\n // Now me must draw the remaining paths onto\n // the background canvas.\n for (var i = 0; i < pathsNotHandled.length; i++) {\n pathsNotHandled[i].path.draw(canvasBackgroundCtx);\n }\n\n refreshDisplayCanvas();\n }\n }\n }\n }\n };\n\n socket.onmessage = function(message) {\n eventForwarder.callFunction(function() {\n handleOnMessage(message);\n });\n };\n\n }\n\n\n function refreshPlayerCount() {\n labelPlayerCount.nodeValue = String(playerCount);\n }\n\n function refreshDisplayCanvas() {\n if (!isActive) { // Don't draw a curser when not active.\n return;\n }\n\n canvasDisplayCtx.drawImage(canvasBackground, 0, 0);\n if (currentPreviewPath != null) {\n // Draw the preview path.\n currentPreviewPath.draw(canvasDisplayCtx);\n\n } else if (mouseInWindow && !mouseDown) {\n canvasDisplayCtx.beginPath();\n var color = availableColors[currentColorIndex].slice(0);\n color[3] = previewTransparency;\n canvasDisplayCtx.fillStyle = rgb(color);\n\n canvasDisplayCtx.arc(currentMouseX, currentMouseY,\n availableThicknesses[currentThicknessIndex] / 2,\n 0, Math.PI * 2.0, true);\n canvasDisplayCtx.fill();\n }\n\n }\n\n function startControls() {\n isActive = true;\n\n labelContainer.removeChild(placeholder);\n placeholder = undefined;\n\n labelContainer.appendChild(\n document.createTextNode(\"Number of Players: \"));\n labelContainer.appendChild(labelPlayerCount);\n\n\n drawContainer.style.display = \"block\";\n drawContainer.appendChild(canvasDisplay);\n\n drawContainer.appendChild(optionContainer);\n\n canvasMouseDownHandler = function(e) {\n if (e.button == 0) {\n currentMouseX = e.pageX - canvasDisplay.offsetLeft;\n currentMouseY = e.pageY - canvasDisplay.offsetTop;\n\n mouseDown = true;\n canvasMouseMoveHandler(e);\n\n } else if (mouseDown) {\n // Cancel drawing.\n mouseDown = false;\n currentPreviewPath = null;\n\n currentMouseX = e.pageX - canvasDisplay.offsetLeft;\n currentMouseY = e.pageY - canvasDisplay.offsetTop;\n\n refreshDisplayCanvas();\n }\n };\n canvasDisplay.addEventListener(\"mousedown\", canvasMouseDownHandler, false);\n\n canvasMouseMoveHandler = function(e) {\n var mouseX = e.pageX - canvasDisplay.offsetLeft;\n var mouseY = e.pageY - canvasDisplay.offsetTop;\n\n if (mouseDown) {\n var drawType = availableDrawTypes[currentDrawTypeIndex];\n\n if (drawType.continuous) {\n\n var path = new Path(drawType.id,\n availableColors[currentColorIndex],\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, false);\n // Draw it on the background canvas.\n path.draw(canvasBackgroundCtx);\n\n // Send it to the sever.\n pushPath(path);\n\n // Refresh old coordinates\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n } else {\n // Create a new preview path.\n var color = availableColors[currentColorIndex].slice(0);\n color[3] = previewTransparency;\n currentPreviewPath = new Path(drawType.id,\n color,\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, false);\n }\n\n refreshDisplayCanvas();\n } else {\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n if (mouseInWindow) {\n refreshDisplayCanvas();\n }\n }\n\n };\n document.addEventListener(\"mousemove\", canvasMouseMoveHandler, false);\n\n document.addEventListener(\"mouseup\", function(e) {\n if (e.button == 0) {\n if (mouseDown) {\n mouseDown = false;\n currentPreviewPath = null;\n\n var mouseX = e.pageX - canvasDisplay.offsetLeft;\n var mouseY = e.pageY - canvasDisplay.offsetTop;\n var drawType = availableDrawTypes[currentDrawTypeIndex];\n\n var path = new Path(drawType.id, availableColors[currentColorIndex],\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, true);\n // Draw it on the background canvas.\n path.draw(canvasBackgroundCtx);\n\n // Send it to the sever.\n pushPath(path);\n\n // Refresh old coordinates\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n refreshDisplayCanvas();\n }\n }\n }, false);\n\n canvasDisplay.addEventListener(\"mouseout\", function(e) {\n mouseInWindow = false;\n refreshDisplayCanvas();\n }, false);\n\n canvasDisplay.addEventListener(\"mousemove\", function(e) {\n if (!mouseInWindow) {\n mouseInWindow = true;\n refreshDisplayCanvas();\n }\n }, false);\n\n\n // Create color and thickness controls.\n var colorContainersBox = document.createElement(\"div\");\n colorContainersBox.setAttribute(\"style\",\n \"margin: 4px; border: 1px solid #bbb; border-radius: 3px;\");\n optionContainer.appendChild(colorContainersBox);\n\n colorContainers = new Array(3 * 3 * 3);\n for (var i = 0; i < colorContainers.length; i++) {\n var colorContainer = colorContainers[i] =\n document.createElement(\"div\");\n var color = availableColors[i] =\n [\n Math.floor((i % 3) * 255 / 2),\n Math.floor((Math.floor(i / 3) % 3) * 255 / 2),\n Math.floor((Math.floor(i / (3 * 3)) % 3) * 255 / 2),\n 1.0\n ];\n colorContainer.setAttribute(\"style\",\n \"margin: 3px; width: 18px; height: 18px; \"\n + \"float: left; background-color: \" + rgb(color));\n colorContainer.style.border = '2px solid #000';\n colorContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setColor(ix);\n };\n })(i), false);\n\n colorContainersBox.appendChild(colorContainer);\n }\n\n var divClearLeft = document.createElement(\"div\");\n divClearLeft.setAttribute(\"style\", \"clear: left;\");\n colorContainersBox.appendChild(divClearLeft);\n\n\n var drawTypeContainersBox = document.createElement(\"div\");\n drawTypeContainersBox.setAttribute(\"style\",\n \"float: right; margin-right: 3px; margin-top: 1px;\");\n optionContainer.appendChild(drawTypeContainersBox);\n\n drawTypeContainers = new Array(availableDrawTypes.length);\n for (var i = 0; i < drawTypeContainers.length; i++) {\n var drawTypeContainer = drawTypeContainers[i] =\n document.createElement(\"div\");\n drawTypeContainer.setAttribute(\"style\",\n \"text-align: center; margin: 3px; padding: 0 3px;\"\n + \"height: 18px; float: left;\");\n drawTypeContainer.style.border = \"2px solid #000\";\n drawTypeContainer.appendChild(document.createTextNode(\n String(availableDrawTypes[i].name)));\n drawTypeContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setDrawType(ix);\n };\n })(i), false);\n\n drawTypeContainersBox.appendChild(drawTypeContainer);\n }\n\n\n var thicknessContainersBox = document.createElement(\"div\");\n thicknessContainersBox.setAttribute(\"style\",\n \"margin: 3px; border: 1px solid #bbb; border-radius: 3px;\");\n optionContainer.appendChild(thicknessContainersBox);\n\n thicknessContainers = new Array(availableThicknesses.length);\n for (var i = 0; i < thicknessContainers.length; i++) {\n var thicknessContainer = thicknessContainers[i] =\n document.createElement(\"div\");\n thicknessContainer.setAttribute(\"style\",\n \"text-align: center; margin: 3px; width: 18px; \"\n + \"height: 18px; float: left;\");\n thicknessContainer.style.border = \"2px solid #000\";\n thicknessContainer.appendChild(document.createTextNode(\n String(availableThicknesses[i])));\n thicknessContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setThickness(ix);\n };\n })(i), false);\n\n thicknessContainersBox.appendChild(thicknessContainer);\n }\n\n\n divClearLeft = document.createElement(\"div\");\n divClearLeft.setAttribute(\"style\", \"clear: left;\");\n thicknessContainersBox.appendChild(divClearLeft);\n\n\n setColor(0);\n setThickness(0);\n setDrawType(0);\n\n }\n\n function disableControls() {\n document.removeEventListener(\"mousedown\", canvasMouseDownHandler);\n document.removeEventListener(\"mousemove\", canvasMouseMoveHandler);\n mouseInWindow = false;\n refreshDisplayCanvas();\n\n isActive = false;\n }\n\n function pushPath(path) {\n\n // Push it into the pathsNotHandled array.\n var container = new PathIdContainer(path, nextMsgId++);\n pathsNotHandled.push(container);\n\n // Send the path to the server.\n var message = container.id + \"|\" + path.type + \",\"\n + path.color[0] + \",\" + path.color[1] + \",\"\n + path.color[2] + \",\"\n + Math.round(path.color[3] * 255.0) + \",\"\n + path.thickness + \",\" + path.x1 + \",\"\n + path.y1 + \",\" + path.x2 + \",\" + path.y2 + \",\"\n + (path.lastInChain ? \"1\" : \"0\");\n\n socket.send(\"1\" + message);\n }\n\n function setThickness(thicknessIndex) {\n if (typeof currentThicknessIndex !== \"undefined\")\n thicknessContainers[currentThicknessIndex]\n .style.borderColor = \"#000\";\n currentThicknessIndex = thicknessIndex;\n thicknessContainers[currentThicknessIndex]\n .style.borderColor = \"#d08\";\n }\n\n function setColor(colorIndex) {\n if (typeof currentColorIndex !== \"undefined\")\n colorContainers[currentColorIndex]\n .style.borderColor = \"#000\";\n currentColorIndex = colorIndex;\n colorContainers[currentColorIndex]\n .style.borderColor = \"#d08\";\n }\n\n function setDrawType(drawTypeIndex) {\n if (typeof currentDrawTypeIndex !== \"undefined\")\n drawTypeContainers[currentDrawTypeIndex]\n .style.borderColor = \"#000\";\n currentDrawTypeIndex = drawTypeIndex;\n drawTypeContainers[currentDrawTypeIndex]\n .style.borderColor = \"#d08\";\n }\n\n\n connect();\n\n }\n\n\n // Initialize the room\n var room = new Room(document.getElementById(\"drawContainer\"));\n\n\n }, false);\n\n })();\n ]]></script>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/snake.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var Game = {};\n\n Game.fps = 30;\n Game.socket = null;\n Game.nextFrame = null;\n Game.interval = null;\n Game.direction = 'none';\n Game.gridSize = 10;\n\n function Snake() {\n this.snakeBody = [];\n this.color = null;\n }\n\n Snake.prototype.draw = function(context) {\n for (var id in this.snakeBody) {\n context.fillStyle = this.color;\n context.fillRect(this.snakeBody[id].x, this.snakeBody[id].y, Game.gridSize, Game.gridSize);\n }\n };\n\n Game.initialize = function() {\n this.entities = [];\n var canvas = document.getElementById('playground');\n if (!canvas.getContext) {\n Console.log('Error: 2d canvas not supported by this browser.');\n return;\n }\n this.context = canvas.getContext('2d');\n window.addEventListener('keydown', function (e) {\n var code = e.keyCode;\n if (code > 36 && code < 41) {\n switch (code) {\n case 37:\n if (Game.direction != 'east') Game.setDirection('west');\n break;\n case 38:\n if (Game.direction != 'south') Game.setDirection('north');\n break;\n case 39:\n if (Game.direction != 'west') Game.setDirection('east');\n break;\n case 40:\n if (Game.direction != 'north') Game.setDirection('south');\n break;\n }\n }\n }, false);\n if (window.location.protocol == 'http:') {\n Game.connect('ws://' + window.location.host + '/examples/websocket/snake');\n } else {\n Game.connect('wss://' + window.location.host + '/examples/websocket/snake');\n }\n };\n\n Game.setDirection = function(direction) {\n Game.direction = direction;\n Game.socket.send(direction);\n Console.log('Sent: Direction ' + direction);\n };\n\n Game.startGameLoop = function() {\n if (window.webkitRequestAnimationFrame) {\n Game.nextFrame = function () {\n webkitRequestAnimationFrame(Game.run);\n };\n } else if (window.mozRequestAnimationFrame) {\n Game.nextFrame = function () {\n mozRequestAnimationFrame(Game.run);\n };\n } else {\n Game.interval = setInterval(Game.run, 1000 / Game.fps);\n }\n if (Game.nextFrame != null) {\n Game.nextFrame();\n }\n };\n\n Game.stopGameLoop = function () {\n Game.nextFrame = null;\n if (Game.interval != null) {\n clearInterval(Game.interval);\n }\n };\n\n Game.draw = function() {\n this.context.clearRect(0, 0, 640, 480);\n for (var id in this.entities) {\n this.entities[id].draw(this.context);\n }\n };\n\n Game.addSnake = function(id, color) {\n Game.entities[id] = new Snake();\n Game.entities[id].color = color;\n };\n\n Game.updateSnake = function(id, snakeBody) {\n if (typeof Game.entities[id] != \"undefined\") {\n Game.entities[id].snakeBody = snakeBody;\n }\n };\n\n Game.removeSnake = function(id) {\n Game.entities[id] = null;\n // Force GC.\n delete Game.entities[id];\n };\n\n Game.run = (function() {\n var skipTicks = 1000 / Game.fps, nextGameTick = (new Date).getTime();\n\n return function() {\n while ((new Date).getTime() > nextGameTick) {\n nextGameTick += skipTicks;\n }\n Game.draw();\n if (Game.nextFrame != null) {\n Game.nextFrame();\n }\n };\n })();\n\n Game.connect = (function(host) {\n if ('WebSocket' in window) {\n Game.socket = new WebSocket(host);\n } else if ('MozWebSocket' in window) {\n Game.socket = new MozWebSocket(host);\n } else {\n Console.log('Error: WebSocket is not supported by this browser.');\n return;\n }\n\n Game.socket.onopen = function () {\n // Socket open.. start the game loop.\n Console.log('Info: WebSocket connection opened.');\n Console.log('Info: Press an arrow key to begin.');\n Game.startGameLoop();\n setInterval(function() {\n // Prevent server read timeout.\n Game.socket.send('ping');\n }, 5000);\n };\n\n Game.socket.onclose = function () {\n Console.log('Info: WebSocket closed.');\n Game.stopGameLoop();\n };\n\n Game.socket.onmessage = function (message) {\n var packet = JSON.parse(message.data);\n switch (packet.type) {\n case 'update':\n for (var i = 0; i < packet.data.length; i++) {\n Game.updateSnake(packet.data[i].id, packet.data[i].body);\n }\n break;\n case 'join':\n for (var j = 0; j < packet.data.length; j++) {\n Game.addSnake(packet.data[j].id, packet.data[j].color);\n }\n break;\n case 'leave':\n Game.removeSnake(packet.id);\n break;\n case 'dead':\n Console.log('Info: Your snake is dead, bad luck!');\n Game.direction = 'none';\n break;\n case 'kill':\n Console.log('Info: Head shot!');\n break;\n }\n };\n });\n\n var Console = {};\n\n Console.log = (function(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.innerHTML = message;\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n });\n\n Game.initialize();\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n\n ]]></script>",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/chat.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var Chat = {};\n\n Chat.socket = null;\n\n Chat.connect = (function(host) {\n if ('WebSocket' in window) {\n Chat.socket = new WebSocket(host);\n } else if ('MozWebSocket' in window) {\n Chat.socket = new MozWebSocket(host);\n } else {\n Console.log('Error: WebSocket is not supported by this browser.');\n return;\n }\n\n Chat.socket.onopen = function () {\n Console.log('Info: WebSocket connection opened.');\n document.getElementById('chat').onkeydown = function(event) {\n if (event.keyCode == 13) {\n Chat.sendMessage();\n }\n };\n };\n\n Chat.socket.onclose = function () {\n document.getElementById('chat').onkeydown = null;\n Console.log('Info: WebSocket closed.');\n };\n\n Chat.socket.onmessage = function (message) {\n Console.log(message.data);\n };\n });\n\n Chat.initialize = function() {\n if (window.location.protocol == 'http:') {\n Chat.connect('ws://' + window.location.host + '/examples/websocket/chat');\n } else {\n Chat.connect('wss://' + window.location.host + '/examples/websocket/chat');\n }\n };\n\n Chat.sendMessage = (function() {\n var message = document.getElementById('chat').value;\n if (message != '') {\n Chat.socket.send(message);\n document.getElementById('chat').value = '';\n }\n });\n\n var Console = {};\n\n Console.log = (function(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.innerHTML = message;\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n });\n\n Chat.initialize();\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n\n ]]></script>",
},
],
},
"id": "d6dc3899-b3fc-46cd-b544-590badef18fc",
},
{
"name": "Weak Authentication Method",
"description": "HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.",
"category": "Weak Authentication Method",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "3",
"zap_solution": "Protect the connection using HTTPS or use a stronger authentication mechanism",
"zap_otherinfo": null,
"zap_reference": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html",
"zap_cweid": "326",
"zap_wascid": "4",
"zap_riskcode": "2",
"zap_pluginid": "10105",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/html",
"method": "GET",
"evidence": 'WWW-Authenticate: Basic realm="Tomcat Manager Application"',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/status",
"method": "GET",
"evidence": 'WWW-Authenticate: Basic realm="Tomcat Manager Application"',
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager/html",
"method": "GET",
"evidence": 'WWW-Authenticate: Basic realm="Tomcat Host Manager Application"',
},
],
},
"id": "ed7e142a-ea90-4cff-9bfa-214eb99fdf91",
},
{
"name": "Content-Type Header Missing",
"description": "The Content-Type header was either missing or empty.",
"category": "Content-Type Header Missing",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "2",
"zap_solution": "Ensure each page is setting the specific and appropriate content-type value for the content being delivered.",
"zap_otherinfo": null,
"zap_reference": "http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx",
"zap_cweid": "345",
"zap_wascid": "12",
"zap_riskcode": "0",
"zap_pluginid": "10019",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/sample/sample.war",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/async/async2",
"method": "GET",
},
],
},
"id": "e56b88b8-68cd-4b11-b826-208126850a87",
},
{
"name": "Cookie Without SameSite Attribute",
"description": "A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.",
"category": "Cookie Without SameSite Attribute",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "4",
"zap_solution": "Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.",
"zap_otherinfo": null,
"zap_reference": "https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site",
"zap_cweid": "16",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "10054",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-comparisons.jsp",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "ZAP",
"evidence": "Set-Cookie: ZAP",
},
],
},
"id": "fcbdde04-17da-482c-9c68-e9a3b8cdf1fb",
},
{
"name": "Cookie Poisoning",
"description": "This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.",
"category": "Cookie Poisoning",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "1",
"zap_count": "2",
"zap_solution": "Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.",
"zap_otherinfo": "An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example: http://nottrusted.com/page?value=maliciousInput.This was identified at:http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExampleUser-input was found in the following cookie:ZAP=ZAP; Path=/examples/The user input was:cookievalue=ZAP",
"zap_reference": "http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie",
"zap_cweid": "20",
"zap_wascid": "20",
"zap_riskcode": "0",
"zap_pluginid": "10029",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookievalue",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookiename",
},
],
},
"id": "f548884e-276e-4631-a32d-1ee3a803e031",
},
{
"name": "Information Disclosure - Suspicious Comments",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"category": "Information Disclosure - Suspicious Comments",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "1",
"zap_count": "5",
"zap_solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"zap_otherinfo": "The following comment/snippet was identified via the pattern: \\bADMIN\\b \"use strict\"; // Enable strict mode (function() { var thisScript = document.currentScript; if (!thisScript) { // Workaround for IE var scripts = document.getElementsByTagName(\"script\"); thisScript = scripts[scripts.length - 1]; } document.addEventListener(\"DOMContentLoaded\", (function() { var commentsDiv = document.getElementById(\"comments_thread\"); var commentsShortname = \"tomcat\"; var commentsIdentifier = \"http://tomcat.apache.org/\" + thisScript.getAttribute(\"data-comments-identifier\") + \".html\"; (function(w, d) { if (w.location.hostname.toLowerCase() == \"tomcat.apache.org\") { var s = d.createElement(\"script\"); s.type = \"application/javascript\"; s.async = true; s.src = \"https://comments.apache.org/show_comments.lua?site=\" + encodeURIComponent(commentsShortname) + \"&page=\" + encodeURIComponent(commentsIdentifier); d.head.appendChild(s); } else { commentsDiv.appendChild(d.createTextNode(\"Comments are disabled for this page at the moment.\")); } })(window, document); }), false); })(); ",
"zap_reference": null,
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "0",
"zap_pluginid": "10027",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-opers.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/drawboard.xhtml",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-objects.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/echo.xhtml",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET",
},
],
},
"id": "3d9212bf-54d8-4be4-8c47-18c7f006dee7",
},
{
"name": "Cookie No HttpOnly Flag",
"description": "A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.",
"category": "Cookie No HttpOnly Flag",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "1",
"zap_solution": "Ensure that the HttpOnly flag is set for all cookies.",
"zap_otherinfo": null,
"zap_reference": "https://owasp.org/www-community/HttpOnly",
"zap_cweid": "16",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "10010",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "ZAP",
"evidence": "Set-Cookie: ZAP",
},
],
},
"id": "7854eea8-b291-4273-ab3a-4ada6ba472f2",
},
{
"name": "Information Disclosure - Suspicious Comments",
"description": "The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.",
"category": "Information Disclosure - Suspicious Comments",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "2",
"zap_solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.",
"zap_otherinfo": "The following comment/snippet was identified via the pattern: \\bADMINISTRATOR\\b String constants used within your application, which can be customized by the system administrator who is installing your application. The values actually assigned to these parameters can be retrieved in a servlet or JSP page by calling: String value = getServletContext().getInitParameter(\"name\"); where \"name\" matches the element of one of these initialization parameters. You can define any number of context initialization parameters, including zero. -->The following comment/snippet was identified via the pattern: \\bWHERE\\b your web application, including initialization parameters. With Tomcat, you can also send requests to servlets not listed here with a request like this: http://localhost:8080/{context-path}/servlet/{classname} but this usage is not guaranteed to be portable. It also makes relative references to images and other resources required by your servlet more complicated, so defining all of your servlets (and defining a mapping to them with a servlet-mapping element) is recommended. Servlet initialization parameters can be retrieved in a servlet or JSP page by calling: String value = getServletConfig().getInitParameter(\"name\"); where \"name\" matches the element of one of these initialization parameters. You can define any number of servlets, including zero. -->The following comment/snippet was identified via the pattern: \\bFROM\\b in minutes. From a servlet or JSP page, you can modify the timeout for a particular session dynamically by using HttpSession.getMaxInactiveInterval(). -->",
"zap_reference": null,
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "0",
"zap_pluginid": "10027",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/web.xml.txt",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/build.xml.txt",
"method": "GET",
},
],
},
"id": "dbf95dc8-8a08-43a6-86c7-e34e892410d4",
},
{
"name": "Application Error Disclosure",
"description": "This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.",
"category": "Application Error Disclosure",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "1",
"zap_solution": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.",
"zap_otherinfo": null,
"zap_reference": null,
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "90022",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp?name=bmw328i&submit=Submit",
"method": "GET",
"evidence": "HTTP/1.1 500 Internal Server Error",
},
],
},
"id": "bfe66cec-6da6-474c-933e-683c2c9fffbf",
},
{
"name": "Information Disclosure - Debug Error Messages",
"description": "The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.",
"category": "Information Disclosure - Debug Error Messages",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "1",
"zap_solution": "Disable debugging messages before pushing to production.",
"zap_otherinfo": null,
"zap_reference": null,
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "10023",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/changelog.html",
"method": "GET",
"evidence": "internal server error",
},
],
},
"id": "325de9a9-63f3-4ec1-a6aa-fd0e1eeae7c4",
},
]
demo-bodgeit-full-scan
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-full-scan-bodgeit"
spec:
scanType: "zap-full-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://bodgeit.demo-targets.svc:8080"
# include the alpha active and passive scan rules as well
- "-a"
# show debug messages
- "-d"
# the number of minutes to spider for (default 1)
- "-m"
- "3"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[
{
"name": "HTTP Only Site",
"description": "The site is only served under HTTP and not HTTPS.",
"category": "HTTP Only Site",
"location": "https://bodgeit.demo-targets.svc",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "1",
"zap_solution": "Configure your web or application server to use SSL (https).",
"zap_otherinfo": "Failed to connect.ZAP attempted to connect via: https://bodgeit.demo-targets.svc:443",
"zap_reference": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.htmlhttps://letsencrypt.org/",
"zap_cweid": "311",
"zap_wascid": "4",
"zap_riskcode": "2",
"zap_pluginid": "10106",
"zap_finding_urls":
[{"uri": "http://bodgeit.demo-targets.svc:8080", "method": "GET"}],
},
"id": "f8f1514f-17ea-4227-9d7f-9c46f35ff798",
},
{
"name": "Insecure HTTP Method - PUT",
"description": "This method was originally intended for file managemant operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource..",
"category": "Insecure HTTP Method - PUT",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "323",
"zap_solution": "TBA",
"zap_otherinfo": "See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html",
"zap_reference": "http://projects.webappsec.org/Fingerprinting",
"zap_cweid": "200",
"zap_wascid": "45",
"zap_riskcode": "2",
"zap_pluginid": "90028",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/misc/EchoAttributesTag.java.html/s8uclk08bz",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.html/tzuj5ogtbx",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/forward/fwd.html/3t6zfqtnqe",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/x351y6uhoj",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/manager/psvhs1vz88",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html/dd6wfwbmkl",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html/3vdg6c89rv",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ktyhhbonqd",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/calendar.html/7rx7ih6pz8",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.jsp.html/2sw49hyduf",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-jndi-realm.html/oz35t93hex",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-interceptor.html/7b3iipmfhp",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/panel.html/o7g7pdpkkz",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/tribes/package-summary.html/q94lxax2bm",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jspapi/tu7ozpyxxx",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/helloWorld.tag.html/wch3hc25o5",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.html/fzjtgyhfrt",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/aio.html/737jz15t5z",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/transport.html/tme98v7qo3",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/web.xml.txt/3feawr1mrb",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD",
},
],
},
"id": "36058f3d-b8e3-4a79-9672-63a8fca166cc",
},
{
"name": "User Agent Fuzzer",
"description": "Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.",
"category": "User Agent Fuzzer",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "455",
"zap_solution": null,
"zap_otherinfo": null,
"zap_reference": "https://owasp.org/wstg",
"zap_cweid": null,
"zap_wascid": null,
"zap_riskcode": "0",
"zap_pluginid": "10104",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/servletapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/requestProcess",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestHeaderExample",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/elapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/sample",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.jsp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/websocketapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
},
],
},
"id": "a011c334-3762-45ef-ad72-16e58bf826e4",
},
{
"name": 'Server Leaks Version Information via "Server" HTTP Response Header Field',
"description": 'The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.',
"category": 'Server Leaks Version Information via "Server" HTTP Response Header Field',
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "3",
"zap_count": "337",
"zap_solution": 'Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.',
"zap_otherinfo": null,
"zap_reference": "http://httpd.apache.org/docs/current/mod/core.html#servertokenshttp://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspxhttp://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html",
"zap_cweid": "200",
"zap_wascid": "13",
"zap_riskcode": "1",
"zap_pluginid": "10036",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/index.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-default.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/basic.jspx",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/if.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/login.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/repeat.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-resources-howto.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/status.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp?fruit=apples&submit=Submit",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/cookies.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/monitoring.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1",
},
],
},
"id": "b0ce669e-58c4-498a-a276-8d3a13c148d6",
},
{
"name": "X-Frame-Options Header Not Set",
"description": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.",
"category": "X-Frame-Options Header Not Set",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "280",
"zap_solution": "Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).",
"zap_otherinfo": null,
"zap_reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"zap_cweid": "16",
"zap_wascid": "15",
"zap_riskcode": "2",
"zap_pluginid": "10020",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/include/include.jsp.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/automatic-deployment.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/hello.jsp",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cluster-howto.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/interceptors.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/installation.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/ValuesBean.java.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/context.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-receiver.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/index.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/simpletag/foo.jsp.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/book.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/realm-howto.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/ssi-howto.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/index.html",
"method": "GET",
"param": "X-Frame-Options",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/introduction.html",
"method": "GET",
"param": "X-Frame-Options",
},
],
},
"id": "392b9b9b-01f7-4cb5-85f2-3b539e25a4c4",
},
{
"name": "Feature Policy Header Not Set",
"description": "Feature Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Feature Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.",
"category": "Feature Policy Header Not Set",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "298",
"zap_solution": "Ensure that your web server, application server, load balancer, etc. is configured to set the Feature-Policy header.",
"zap_otherinfo": null,
"zap_reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policyhttps://developers.google.com/web/updates/2018/06/feature-policyhttps://scotthelme.co.uk/a-new-security-header-feature-policy/https://w3c.github.io/webappsec-feature-policy/https://www.smashingmagazine.com/2018/12/feature-policy/",
"zap_cweid": "16",
"zap_wascid": "15",
"zap_riskcode": "1",
"zap_pluginid": "10063",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/dates/date.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/index.xhtml",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jspapi/index.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/rewrite.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.jsp",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/index.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/comments.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/resources.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/foreach.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/Functions.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/deployer-howto.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/jar-scanner.html",
"method": "GET",
},
],
},
"id": "faf1dc34-65c0-4771-b2cd-2c92b181d263",
},
{
"name": "Cookie Slack Detector",
"description": "Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.",
"category": "Cookie Slack Detector",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "LOW",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "1",
"zap_count": "186",
"zap_solution": null,
"zap_otherinfo": "NOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.These cookies affected the response: These cookies did NOT affect the response: JSESSIONID",
"zap_reference": "http://projects.webappsec.org/Fingerprinting",
"zap_cweid": "200",
"zap_wascid": "45",
"zap_riskcode": "1",
"zap_pluginid": "90027",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/images/execute.gif",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/er.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp?fruit=apples&submit=Submit",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/Functions.java.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/clr.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/return.gif",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/if.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/read.gif",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.jsp",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp.html",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/execute.gif",
"method": "GET",
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/panel.html",
"method": "GET",
},
],
},
"id": "19fef1b7-287a-47a9-a4e0-f2e65f7fa8d0",
},
{
"name": "Storable and Cacheable Content",
"description": 'The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.',
"category": "Storable and Cacheable Content",
"location": "http://bodgeit.demo-targets.svc:8080",
"osi_layer": "APPLICATION",
"severity": "INFORMATIONAL",
"attributes":
{
"hostname": "bodgeit.demo-targets.svc",
"zap_confidence": "2",
"zap_count": "329",
"zap_solution": "Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. ",
"zap_otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.",
"zap_reference": "https://tools.ietf.org/html/rfc7234https://tools.ietf.org/html/rfc7231http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)",
"zap_cweid": "524",
"zap_wascid": "13",
"zap_riskcode": "0",
"zap_pluginid": "10049",
"zap_finding_urls":
[
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jsptoservlet.jsp.html"<