diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..65970ccb9 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,6 @@ +## Goal +## Changes +## Testing +- [ ] Clear, descriptive PR title +- [ ] Documentation updated +- [ ] No secrets committed \ No newline at end of file diff --git a/gen.conf b/gen.conf new file mode 100644 index 000000000..f668d824d --- /dev/null +++ b/gen.conf @@ -0,0 +1,70 @@ +# zap-baseline rule configuration file +# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches +# Only the rule identifiers are used - the names are just for info +# You can add your own messages to each rule by appending them after a tab on each line. +10003 WARN (Vulnerable JS Library (Powered by Retire.js)) +10009 WARN (In Page Banner Information Leak) +10010 WARN (Cookie No HttpOnly Flag) +10011 WARN (Cookie Without Secure Flag) +10015 WARN (Re-examine Cache-control Directives) +10017 WARN (Cross-Domain JavaScript Source File Inclusion) +10019 WARN (Content-Type Header Missing) +10020 WARN (Anti-clickjacking Header) +10021 WARN (X-Content-Type-Options Header Missing) +10023 WARN (Information Disclosure - Debug Error Messages) +10024 WARN (Information Disclosure - Sensitive Information in URL) +10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header) +10026 WARN (HTTP Parameter Override) +10027 WARN (Information Disclosure - Suspicious Comments) +10028 WARN (Off-site Redirect) +10029 WARN (Cookie Poisoning) +10030 WARN (User Controllable Charset) +10031 WARN (User Controllable HTML Element Attribute (Potential XSS)) +10032 WARN (Viewstate) +10033 WARN (Directory Browsing) +10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative)) +10035 WARN (Strict-Transport-Security Header) +10036 WARN (HTTP Server Response Header) +10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)) +10038 WARN (Content Security Policy (CSP) Header Not Set) +10039 WARN (X-Backend-Server Header Information Leak) +10040 WARN (Secure Pages Include Mixed Content) +10041 WARN (HTTP to HTTPS Insecure Transition in Form Post) +10042 WARN (HTTPS to HTTP Insecure Transition in Form Post) +10043 WARN (User Controllable JavaScript Event (XSS)) +10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak)) +10049 WARN (Content Cacheability) +10050 WARN (Retrieved from Cache) +10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak) +10054 WARN (Cookie without SameSite Attribute) +10055 WARN (CSP) +10056 WARN (X-Debug-Token Information Leak) +10057 WARN (Username Hash Found) +10061 WARN (X-AspNet-Version Response Header) +10062 WARN (PII Disclosure) +10063 WARN (Permissions Policy Header Not Set) +10096 WARN (Timestamp Disclosure) +10097 WARN (Hash Disclosure) +10098 WARN (Cross-Domain Misconfiguration) +10099 WARN (Source Code Disclosure) +10105 WARN (Weak Authentication Method) +10108 WARN (Reverse Tabnabbing) +10109 WARN (Modern Web Application) +10110 WARN (Dangerous JS Functions) +10111 WARN (Authentication Request Identified) +10112 WARN (Session Management Response Identified) +10113 WARN (Verification Request Identified) +10115 WARN (Script Served From Malicious Domain (polyfill)) +10116 WARN (ZAP is Out of Date) +10202 WARN (Absence of Anti-CSRF Tokens) +2 WARN (Private IP Disclosure) +3 WARN (Session ID in URL Rewrite) +50001 WARN (Script Passive Scan Rules) +90001 WARN (Insecure JSF ViewState) +90002 WARN (Java Serialization Object) +90003 WARN (Sub Resource Integrity Attribute Missing) +90004 WARN (Insufficient Site Isolation Against Spectre Vulnerability) +90011 WARN (Charset Mismatch) +90022 WARN (Application Error Disclosure) +90030 WARN (WSDL File Detection) +90033 WARN (Loosely Scoped Cookie) diff --git a/labs/assets/zap-report.png b/labs/assets/zap-report.png new file mode 100644 index 000000000..722171ae2 Binary files /dev/null and b/labs/assets/zap-report.png differ diff --git a/labs/submission9.md b/labs/submission9.md new file mode 100644 index 000000000..294f5538c --- /dev/null +++ b/labs/submission9.md @@ -0,0 +1,140 @@ +### Task 1 + +#### OWASP ZAP baseline scan + +```bash +$ docker run -d --name juice-shop -p 3000:3000 bkimminich/juice-shop +... + +$ docker run --rm -u zap -v $(pwd):/zap/wrk:rw \ + -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \ + -t http://host.docker.internal:3000 \ + -g gen.conf \ + -r zap-report.html +Total of 123 URLs +... +FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 6 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 60 +``` + +Generated report overview: + +![zap report](assets/zap-report.png) + +#### Findings + +- Number of Medium risk vulnerabilities found: `2` +- Total warning-level findings in baseline output: `6` + +The 2 most interesting Medium findings were: + +1. **Content Security Policy (CSP) Header Not Set** + - The report marks this as `Medium`. + - Without CSP, the browser has fewer restrictions on which scripts and resources can be loaded. + - This can make XSS-style attacks easier. + +2. **Cross-Domain Misconfiguration** + - The report marks this as `Medium`. + - Cross-origin settings may be too permissive. + - This can expose resources to unintended origins. + +#### Security headers status + +From the report: + +- Missing / invalid: + - `Content-Security-Policy` + - `Cross-Origin-Embedder-Policy` + - `Cross-Origin-Opener-Policy` +- Not raised as problems by the baseline scan: + - anti-clickjacking header + - `X-Content-Type-Options` + +These headers matter because they help browsers enforce safer behavior and reduce the impact of script injection, MIME confusion, and cross-origin abuse. + +#### Analysis + +The most common web application issues are usually weak browser-side protections, missing security headers, unsafe JavaScript behavior, information disclosure, and cross-origin misconfigurations. Even when there is no direct exploit shown by the baseline scan, these weaknesses make the application easier to attack. + +#### Cleanup + +```bash +$ docker stop juice-shop && docker rm juice-shop +juice-shop +juice-shop +``` + +### Task 2 + +#### Trivy scan summary + +From the Trivy output: + +- Total `CRITICAL` vulnerabilities: `19` +- Total `HIGH` vulnerabilities: `46` + +Summary shown by Trivy: + +```text +Node.js (node-pkg) +================== +Total: 65 (HIGH: 46, CRITICAL: 19) +``` + +#### Vulnerable packages + +Two example vulnerable packages from the scan: + +1. `crypto-js` + - `CVE-2023-46233` + - Severity: `CRITICAL` + - Title: `PBKDF2 1,000 times weaker than specified` + +2. `jsonwebtoken` + - `CVE-2015-9235` + - Severity: `CRITICAL` + - Title: `verification step bypass with an altered token` + +Other vulnerable packages also appeared in the report, for example: +- `lodash` +- `marsdb` +- `tar` +- `vm2` +- `ws` + +#### Most common vulnerability type + +The most common issue type was vulnerable or outdated third-party Node.js dependencies. A lot of findings were related to: +- denial of service +- sandbox escape / arbitrary code execution +- verification / authentication bypass +- prototype pollution + +#### Additional findings + +Trivy also detected secret material in the image: + +```text +/juice-shop/build/lib/insecurity.js -> AsymmetricPrivateKey +/juice-shop/lib/insecurity.ts -> AsymmetricPrivateKey +``` + +#### Analysis + +Container image scanning is important before production because vulnerabilities are often already present in the base image or bundled dependencies before the application even starts. If these issues are not found early, they can be deployed directly into production environments. + +#### Reflection + +I would integrate these scans into CI/CD by running: +- ZAP baseline scans against preview or test deployments +- Trivy image scans right after the image build step + +I would fail the pipeline on critical findings, store reports as CI artifacts, and require remediation before deployment to production. + +#### Cleanup + +```bash +$ docker rmi bkimminich/juice-shop +Untagged: bkimminich/juice-shop:latest +Deleted: sha256:a8139c141311c7f31fcf2e611125246928f703ee42827de33983fd9425d1b2f6 +``` + diff --git a/zap-report.html b/zap-report.html new file mode 100644 index 000000000..ee7b7bdc2 --- /dev/null +++ b/zap-report.html @@ -0,0 +1,2895 @@ + + + + +ZAP Scanning Report + + + +

+ + + ZAP Scanning Report +

+

+ + +

+ + Site: http://host.docker.internal:3000 + +

+ +

+ Generated on Sun, 10 May 2026 10:16:17 +

+ +

+ ZAP Version: 2.17.0 +

+ +

+ ZAP by Checkmarx +

+ + +

Summary of Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Risk LevelNumber of Alerts
+
High
+ 		+
0
+
+
Medium
+ 		+
2
+
+
Low
+ 		+
5
+
+
Informational
+ 		+
3
+
+
False Positives:
+ 		+
0
+
+
+ + + +

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LevelReasonSiteDescriptionStatistic
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
94 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
8 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
81 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Count of total endpoints
+ 		+
100
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of slow responses
+ 		+
2 %
+
+
+ + + + +

Summary of Sequences

+

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

+ + + + + + + + +

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
Content Security Policy (CSP) Header Not SetMediumSystemic
Cross-Domain MisconfigurationMediumSystemic
Cross-Origin-Embedder-Policy Header Missing or InvalidLow5
Cross-Origin-Opener-Policy Header Missing or InvalidLow5
Dangerous JS FunctionsLow2
Deprecated Feature Policy Header SetLowSystemic
Timestamp Disclosure - UnixLowSystemic
Modern Web ApplicationInformationalSystemic
Storable and Cacheable ContentInformational1
Storable but Non-Cacheable ContentInformationalSystemic
+
+ + + +

Alert Detail

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Content Security Policy (CSP) Header Not Set
Description +
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp
Node Namehttp://host.docker.internal:3000/ftp
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp/coupons_2013.md.bak
Node Namehttp://host.docker.internal:3000/ftp/coupons_2013.md.bak
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other Info
InstancesSystemic
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP +
+ + https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html +
+ + https://www.w3.org/TR/CSP/ +
+ + https://w3c.github.io/webappsec-csp/ +
+ + https://web.dev/articles/csp +
+ + https://caniuse.com/#feat=contentsecuritypolicy +
+ + https://content-security-policy.com/ + +
CWE Id693
WASC Id15
Plugin Id10038
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Cross-Domain Misconfiguration
Description +
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other Info +
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
+ +
URLhttp://host.docker.internal:3000/assets/public/favicon_js.ico
Node Namehttp://host.docker.internal:3000/assets/public/favicon_js.ico
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other Info +
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
+ +
URLhttp://host.docker.internal:3000/chunk-24EZLZ4I.js
Node Namehttp://host.docker.internal:3000/chunk-24EZLZ4I.js
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other Info +
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
+ +
URLhttp://host.docker.internal:3000/robots.txt
Node Namehttp://host.docker.internal:3000/robots.txt
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other Info +
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
+ +
URLhttp://host.docker.internal:3000/styles.css
Node Namehttp://host.docker.internal:3000/styles.css
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other Info +
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
+ +
InstancesSystemic
Solution +
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
+
+ +
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
+ +
Reference + https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy + +
CWE Id264
WASC Id14
Plugin Id10098
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cross-Origin-Embedder-Policy Header Missing or Invalid
Description +
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
ParameterCross-Origin-Embedder-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
ParameterCross-Origin-Embedder-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp
Node Namehttp://host.docker.internal:3000/ftp
MethodGET
ParameterCross-Origin-Embedder-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
Node Namehttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
MethodGET
ParameterCross-Origin-Embedder-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
ParameterCross-Origin-Embedder-Policy
Attack
Evidence
Other Info
Instances5
Solution +
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.
+
+ +
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy + +
CWE Id693
WASC Id14
Plugin Id90004
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cross-Origin-Opener-Policy Header Missing or Invalid
Description +
Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
ParameterCross-Origin-Opener-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
ParameterCross-Origin-Opener-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp
Node Namehttp://host.docker.internal:3000/ftp
MethodGET
ParameterCross-Origin-Opener-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
Node Namehttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
MethodGET
ParameterCross-Origin-Opener-Policy
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
ParameterCross-Origin-Opener-Policy
Attack
Evidence
Other Info
Instances5
Solution +
Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.
+
+ +
'same-origin-allow-popups' is considered as less secured and should be avoided.
+
+ +
If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy + +
CWE Id693
WASC Id14
Plugin Id90004
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Dangerous JS Functions
Description +
A dangerous JS function seems to be in use that would leave the site vulnerable.
+ +
URLhttp://host.docker.internal:3000/chunk-LHKS7QUN.js
Node Namehttp://host.docker.internal:3000/chunk-LHKS7QUN.js
MethodGET
Parameter
Attack
EvidencebypassSecurityTrustHtml(
Other Info
URLhttp://host.docker.internal:3000/main.js
Node Namehttp://host.docker.internal:3000/main.js
MethodGET
Parameter
Attack
EvidencebypassSecurityTrustHtml(
Other Info
Instances2
Solution +
See the references for security advice on the use of these functions.
+ +
Reference + https://v17.angular.io/guide/security + +
CWE Id749
WASC Id
Plugin Id10110
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Deprecated Feature Policy Header Set
Description +
The header has now been renamed to Permissions-Policy.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
EvidenceFeature-Policy
Other Info
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
EvidenceFeature-Policy
Other Info
URLhttp://host.docker.internal:3000/chunk-24EZLZ4I.js
Node Namehttp://host.docker.internal:3000/chunk-24EZLZ4I.js
MethodGET
Parameter
Attack
EvidenceFeature-Policy
Other Info
URLhttp://host.docker.internal:3000/chunk-T3PSKZ45.js
Node Namehttp://host.docker.internal:3000/chunk-T3PSKZ45.js
MethodGET
Parameter
Attack
EvidenceFeature-Policy
Other Info
URLhttp://host.docker.internal:3000/chunk-TWZW5B45.js
Node Namehttp://host.docker.internal:3000/chunk-TWZW5B45.js
MethodGET
Parameter
Attack
EvidenceFeature-Policy
Other Info
InstancesSystemic
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy +
+ + https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ + +
CWE Id16
WASC Id15
Plugin Id10063
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Timestamp Disclosure - Unix
Description +
A timestamp was disclosed by the application/web server. - Unix
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence1650485437
Other Info +
1650485437, which evaluates to: 2022-04-20 20:10:37.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence2038834951
Other Info +
2038834951, which evaluates to: 2034-08-10 15:02:31.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence1650485437
Other Info +
1650485437, which evaluates to: 2022-04-20 20:10:37.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence1981395349
Other Info +
1981395349, which evaluates to: 2032-10-14 19:35:49.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence2038834951
Other Info +
2038834951, which evaluates to: 2034-08-10 15:02:31.
+ +
InstancesSystemic
Solution +
Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
+ +
Reference + https://cwe.mitre.org/data/definitions/200.html + +
CWE Id497
WASC Id13
Plugin Id10096
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Modern Web Application
Description +
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence<script> + window.addEventListener("load", function(){ + window.cookieconsent.initialise({ + "palette": { + "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" }, + "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" } + }, + "theme": "classic", + "position": "bottom-right", + "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" } + })}); + </script>
Other Info +
No links have been found while there are scripts, which is an indication that this is a modern web application.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence<script> + window.addEventListener("load", function(){ + window.cookieconsent.initialise({ + "palette": { + "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" }, + "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" } + }, + "theme": "classic", + "position": "bottom-right", + "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" } + })}); + </script>
Other Info +
No links have been found while there are scripts, which is an indication that this is a modern web application.
+ +
URLhttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
Node Namehttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
MethodGET
Parameter
Attack
Evidence<script> + window.addEventListener("load", function(){ + window.cookieconsent.initialise({ + "palette": { + "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" }, + "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" } + }, + "theme": "classic", + "position": "bottom-right", + "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" } + })}); + </script>
Other Info +
No links have been found while there are scripts, which is an indication that this is a modern web application.
+ +
URLhttp://host.docker.internal:3000/juice-shop/node_modules/express/lib/router/index.js:286:9
Node Namehttp://host.docker.internal:3000/juice-shop/node_modules/express/lib/router/index.js:286:9
MethodGET
Parameter
Attack
Evidence<script> + window.addEventListener("load", function(){ + window.cookieconsent.initialise({ + "palette": { + "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" }, + "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" } + }, + "theme": "classic", + "position": "bottom-right", + "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" } + })}); + </script>
Other Info +
No links have been found while there are scripts, which is an indication that this is a modern web application.
+ +
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence<script> + window.addEventListener("load", function(){ + window.cookieconsent.initialise({ + "palette": { + "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" }, + "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" } + }, + "theme": "classic", + "position": "bottom-right", + "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" } + })}); + </script>
Other Info +
No links have been found while there are scripts, which is an indication that this is a modern web application.
+ +
InstancesSystemic
Solution +
This is an informational alert and so no changes are required.
+ +
Reference
CWE Id
WASC Id
Plugin Id10109
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Storable and Cacheable Content
Description +
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
+ +
URLhttp://host.docker.internal:3000/robots.txt
Node Namehttp://host.docker.internal:3000/robots.txt
MethodGET
Parameter
Attack
Evidence
Other Info +
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
+ +
Instances1
Solution +
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:
+
+ +
Cache-Control: no-cache, no-store, must-revalidate, private
+
+ +
Pragma: no-cache
+
+ +
Expires: 0
+
+ +
This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
+ +
Reference + https://datatracker.ietf.org/doc/html/rfc7234 +
+ + https://datatracker.ietf.org/doc/html/rfc7231 +
+ + https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html + +
CWE Id524
WASC Id13
Plugin Id10049
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Storable but Non-Cacheable Content
Description +
The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.
+ +
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidencemax-age=0
Other Info
URLhttp://host.docker.internal:3000/assets/public/favicon_js.ico
Node Namehttp://host.docker.internal:3000/assets/public/favicon_js.ico
MethodGET
Parameter
Attack
Evidencemax-age=0
Other Info
URLhttp://host.docker.internal:3000/chunk-24EZLZ4I.js
Node Namehttp://host.docker.internal:3000/chunk-24EZLZ4I.js
MethodGET
Parameter
Attack
Evidencemax-age=0
Other Info
URLhttp://host.docker.internal:3000/chunk-T3PSKZ45.js
Node Namehttp://host.docker.internal:3000/chunk-T3PSKZ45.js
MethodGET
Parameter
Attack
Evidencemax-age=0
Other Info
URLhttp://host.docker.internal:3000/chunk-TWZW5B45.js
Node Namehttp://host.docker.internal:3000/chunk-TWZW5B45.js
MethodGET
Parameter
Attack
Evidencemax-age=0
Other Info
InstancesSystemic
Solution
Reference + https://datatracker.ietf.org/doc/html/rfc7234 +
+ + https://datatracker.ietf.org/doc/html/rfc7231 +
+ + https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html + +
CWE Id524
WASC Id13
Plugin Id10049
+
+ + + + + +

Sequence Details

+ With the associated active scan results. + + + +
+ + + + + + +