CWE-693 on ZAP

Clear-Site-Data present but missing executionContexts

Mon, 01 Jan 0001 00:00:00 +0000

The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.

Generated by OWASP PTK DAST Module

Clear-Site-Data uses wildcard *

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

COEP present but value is not 'require-corp' or 'credentialless'

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

COOP present but value is not 'same-origin'

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

COOP set without COEP/CORP (incomplete cross-origin isolation)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CORS allows any origin with credentials

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Cross-Origin-Embedder-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Opener-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

Cross-Origin-Resource-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.

CSP 'frame-ancestors' missing or overly broad

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP allows inline/eval or wildcards in script/style

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP Report-Only present without enforcing CSP

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Deprecated Feature-Policy or unknown/overly-permissive Permissions-Policy

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Expect-CT is deprecated

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

HSTS max-age too low or missing includeSubDomains

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing Content-Security-Policy header

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing or invalid X-Content-Type-Options

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing or weak Referrer-Policy

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing Security Headers

Mon, 01 Jan 0001 00:00:00 +0000

Some of the following security headers are missing from the HTTP response: Strict-Transport-Security, Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options, X-Frame-Options.

Missing Strict-Transport-Security header (on HTTPS)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

Potentially authenticated content lacks no-store

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Public-Key-Pins is deprecated

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Sensitive cookies missing security flags

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Server banner discloses software/version

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Strict-Transport-Security sent over HTTP (ineffective)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Powered-By header or equivalent present

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

X-XSS-Protection header is a legacy directive

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module