CWE-319 on ZAP /alerttags/cwe-319/ Recent content in CWE-319 on ZAP Hugo en-us ASP.NET ViewState Disclosure /docs/alerts/10094-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10094-1/ <p>An ASP.NET ViewState was disclosed by the application/web server.</p> Base64 Disclosure /docs/alerts/10094-3/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10094-3/ <p>Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).</p> HTTP to HTTPS Insecure Transition in Form Post /docs/alerts/10041/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10041/ <p>This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.</p> HTTPS to HTTP Insecure Transition in Form Post /docs/alerts/10042/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10042/ <p>This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they&rsquo;re submitting data to a secure page when in fact they are not.</p> Strict-Transport-Security Defined via META (Non-compliant with Spec) /docs/alerts/10035-6/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-6/ <p>A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).</p> Strict-Transport-Security Disabled /docs/alerts/10035-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-2/ <p>A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).</p> Strict-Transport-Security Header Not Set /docs/alerts/10035-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-1/ <p>HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.</p> Strict-Transport-Security Header on Plain HTTP Response /docs/alerts/10035-4/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-4/ <p>A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).</p> Strict-Transport-Security Malformed Content (Non-compliant with Spec) /docs/alerts/10035-8/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-8/ <p>A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.</p> Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) /docs/alerts/10035-7/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-7/ <p>A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).</p> Strict-Transport-Security Missing Max-Age (Non-compliant with Spec) /docs/alerts/10035-5/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-5/ <p>A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).</p> Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec) /docs/alerts/10035-3/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10035-3/ <p>HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).</p> ws:// from HTTPS context /docs/alerts/200008/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/200008/ <p>Looks for common WebSocket endpoints and insecure patterns such as ws:// from HTTPS pages.</p> <p>Generated by OWASP PTK DAST Module</p>