OWASP_2021_A01 on ZAP

Absence of Anti-CSRF Tokens

Mon, 01 Jan 0001 00:00:00 +0000

No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Access Control Issue - Improper Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.

Access Control Issue - Improper Authorization

Mon, 01 Jan 0001 00:00:00 +0000

Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.

Anchor href manipulated from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value assigned to href attribute.

Generated by OWASP PTK IAST Module

Authentication Credentials Captured

Mon, 01 Jan 0001 00:00:00 +0000

An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.

Bypassing 403

Mon, 01 Jan 0001 00:00:00 +0000

Bypassing 403 endpoints may be possible, the scan rule sent a payload that caused the response to be accessible (status code 200).

Client-side redirect via history.pushState

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL passed to history.pushState, altering client-side navigation.

Generated by OWASP PTK IAST Module

Client-side redirect via location.assign

Mon, 01 Jan 0001 00:00:00 +0000

Tainted destination URL passed to location.assign.

Generated by OWASP PTK IAST Module

Client-side redirect via location.href

Mon, 01 Jan 0001 00:00:00 +0000

Tainted data assigned to location.href, causing a client-side redirect.

Generated by OWASP PTK IAST Module

Client-side redirect via location.replace

Mon, 01 Jan 0001 00:00:00 +0000

Tainted destination URL passed to location.replace.

Generated by OWASP PTK IAST Module

Client-side route change via history.replaceState

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL passed to history.replaceState, altering client-side navigation state.

Generated by OWASP PTK IAST Module

Cookie with Invalid SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie with SameSite Attribute None

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with its SameSite attribute set to “none”, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie without SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

CORS Header

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Domain Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Cross-Site WebSocket Hijacking

Mon, 01 Jan 0001 00:00:00 +0000

Server accepted WebSocket connection through HTTP Upgrade request with modified Origin header.

Deprecated Feature Policy Header Set

Mon, 01 Jan 0001 00:00:00 +0000

The header has now been renamed to Permissions-Policy.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Disallow direct navigation primitives

Mon, 01 Jan 0001 00:00:00 +0000

Detects client-side code that can redirect users to attacker-controlled URLs (open redirects). Includes assignment/calls that control window/location/navigation, attr-based redirects, form actions and jQuery variants.

Generated by OWASP PTK SAST Module

DOM-based Open Redirection (taint flow)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK SAST Module

Exposed Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files.

Form action manipulated by tainted route or body input

Mon, 01 Jan 0001 00:00:00 +0000

Tainted route, body, or messaging value changed form action.

Generated by OWASP PTK IAST Module

Form action manipulated from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value assigned to form action.

Generated by OWASP PTK IAST Module

formAction manipulated by tainted route or body input

Mon, 01 Jan 0001 00:00:00 +0000

Tainted route, body, or messaging value changed formAction.

Generated by OWASP PTK IAST Module

IFrame content injection via srcdoc

Mon, 01 Jan 0001 00:00:00 +0000

Tainted HTML assigned to iframe.srcdoc, enabling DOM-based XSS inside the frame.

Generated by OWASP PTK IAST Module

IFrame navigation via src

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL assigned to iframe.src, causing navigation to untrusted content.

Generated by OWASP PTK IAST Module

Information Disclosure - Debug Error Messages

Mon, 01 Jan 0001 00:00:00 +0000

The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.

Information Disclosure - Sensitive Information in HTTP Referrer Header

Mon, 01 Jan 0001 00:00:00 +0000

The HTTP header may have leaked a potentially sensitive parameter to another domain. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Sensitive Information in URL

Mon, 01 Jan 0001 00:00:00 +0000

The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.

Information Disclosure - Suspicious Comments

Mon, 01 Jan 0001 00:00:00 +0000

The response appears to contain suspicious comments which may help an attacker.

JWT None Exploit

Mon, 01 Jan 0001 00:00:00 +0000

The application’s JWT implementation allows for the usage of the ’none’ algorithm, which bypasses the JWT hash verification.

location.assign redirect from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value passed to location.assign.

Generated by OWASP PTK IAST Module

location.href redirect from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value navigated location.href.

Generated by OWASP PTK IAST Module

location.replace redirect from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value passed to location.replace.

Generated by OWASP PTK IAST Module

navigation.navigate redirect from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value passed to navigation.navigate.

Generated by OWASP PTK IAST Module

Open redirect reflected in body destination

Mon, 01 Jan 0001 00:00:00 +0000

Tests for open redirect by forcing redirect-like parameters to an external, benign domain.

Generated by OWASP PTK DAST Module

Open redirect reflected in form action

Mon, 01 Jan 0001 00:00:00 +0000

Tests for open redirect by forcing redirect-like parameters to an external, benign domain.

Generated by OWASP PTK DAST Module

Open redirect via common param names

Mon, 01 Jan 0001 00:00:00 +0000

Tests for open redirect by forcing redirect-like parameters to an external, benign domain.

Generated by OWASP PTK DAST Module

Open redirect via Navigation API

Mon, 01 Jan 0001 00:00:00 +0000

Tainted destination URL used in navigation.navigate.

Generated by OWASP PTK IAST Module

Open redirect via window.open

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL used in window.open (possible open redirect).

Generated by OWASP PTK IAST Module

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

postMessage to cross-origin target with tainted payload

Mon, 01 Jan 0001 00:00:00 +0000

Tainted data sent via window.postMessage to a different origin.

Generated by OWASP PTK IAST Module

postMessage to wildcard origin with tainted payload

Mon, 01 Jan 0001 00:00:00 +0000

Tainted data sent via window.postMessage to wildcard ‘*’ targetOrigin.

Generated by OWASP PTK IAST Module

Private IP Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Referer Exposes Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A hyperlink pointing to another host name was found. As session ID URL rewrite is used, it may be disclosed in referer header to external hosts.

Route-controlled history.pushState

Mon, 01 Jan 0001 00:00:00 +0000

Client route state influenced history.pushState.

Generated by OWASP PTK IAST Module

Route-controlled history.replaceState

Mon, 01 Jan 0001 00:00:00 +0000

Client route state influenced history.replaceState.

Generated by OWASP PTK IAST Module

Route-controlled Navigation API transition

Mon, 01 Jan 0001 00:00:00 +0000

Client route state influenced navigation.navigate.

Generated by OWASP PTK IAST Module

Same-origin URL mutations

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK SAST Module

Sec-Fetch-Dest Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Dest Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Mode Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Mode Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Site Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-Site Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-User Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Sec-Fetch-User Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking information via one or more “X-Powered-By” HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user’s actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim’s browser, to allow the vulnerability to be exploited.

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session ID Cookie Accessible to JavaScript

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked.

Session ID Expiry Time/Max-Age is Excessive

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID in URL Rewrite

Mon, 01 Jan 0001 00:00:00 +0000

URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

Session ID Transmitted Insecurely

Mon, 01 Jan 0001 00:00:00 +0000

A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the ‘secure’ flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim’s session.

Spring Actuator Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Tainted URL assigned to element.href

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL assigned to an element href attribute.

Generated by OWASP PTK IAST Module

Tainted URL assigned to element.src

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL assigned to a non-script/iframe/src element src attribute.

Generated by OWASP PTK IAST Module

Tainted URL assigned to form action

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL assigned to a form action attribute.

Generated by OWASP PTK IAST Module

Tainted URL assigned to formAction

Mon, 01 Jan 0001 00:00:00 +0000

Tainted URL assigned to a formAction attribute.

Generated by OWASP PTK IAST Module

Timestamp Disclosure - Unix

Mon, 01 Jan 0001 00:00:00 +0000

A timestamp was disclosed by the application/web server. - Unix

Username Hash Found

Mon, 01 Jan 0001 00:00:00 +0000

A hash of a username (admin) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Weak Authentication Method

Mon, 01 Jan 0001 00:00:00 +0000

HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.

window.open redirect from tainted source

Mon, 01 Jan 0001 00:00:00 +0000

Tainted value passed to window.open.

Generated by OWASP PTK IAST Module

X-Debug-Token Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.