OWASP_2021_A05 on ZAP

.env Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

.htaccess Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

.NET stack trace / YSOD

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

Admin/management path observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Android assetlinks.json observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags security-relevant well-known resources and metadata files when they appear in observed traffic.

Generated by OWASP PTK DAST Module

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

API docs endpoint observed

Mon, 01 Jan 0001 00:00:00 +0000

Detects exposure of API documentation, specs, and interactive consoles observed in traffic.

Generated by OWASP PTK DAST Module

Apple app-site-association observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags security-relevant well-known resources and metadata files when they appear in observed traffic.

Generated by OWASP PTK DAST Module

Application Error Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Avoid permissive regex origin checks

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Avoid postMessage with wildcard targetOrigin

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Avoid weak origin substring checks

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

AWS Access Key ID pattern

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Backup File Detected

Mon, 01 Jan 0001 00:00:00 +0000

A backup or alternate version of a page or component was detected. An attacker may leverage information in such files to further attack or abuse the system.

Backup File Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A backup of the file was disclosed by the web server.

Cache-Control public/max-age with Set-Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Flags potentially risky cacheability for responses that appear user-specific and missing cache partitioning indicators.

Generated by OWASP PTK DAST Module

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Clear-Site-Data present but missing executionContexts

Mon, 01 Jan 0001 00:00:00 +0000

The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.

Generated by OWASP PTK DAST Module

Clear-Site-Data uses wildcard *

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Cloud metadata IP referenced

Mon, 01 Jan 0001 00:00:00 +0000

Detects internal hostnames/IPs and environment hints (staging/dev/local) disclosed in observed responses.

Generated by OWASP PTK DAST Module

Cloud Metadata Potentially Exposed

Mon, 01 Jan 0001 00:00:00 +0000

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address ‘169.254.169.254’ - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

COEP present but value is not 'require-corp' or 'credentialless'

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Slack Detector

Mon, 01 Jan 0001 00:00:00 +0000

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

COOP present but value is not 'same-origin'

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

COOP set without COEP/CORP (incomplete cross-origin isolation)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CORS allows any origin with credentials

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CORS allows broad headers

Mon, 01 Jan 0001 00:00:00 +0000

Adds passive CORS posture checks: missing Vary: Origin for dynamic ACAO, and permissive allowed headers/methods.

Generated by OWASP PTK DAST Module

CORS allows broad methods

Mon, 01 Jan 0001 00:00:00 +0000

Adds passive CORS posture checks: missing Vary: Origin for dynamic ACAO, and permissive allowed headers/methods.

Generated by OWASP PTK DAST Module

Cross-Domain Misconfiguration - Adobe - Read

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Adobe - Send

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Silverlight

Mon, 01 Jan 0001 00:00:00 +0000

Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

CSP 'frame-ancestors' missing or overly broad

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP allows inline/eval or wildcards in script/style

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP Report-Only present without enforcing CSP

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Debug/diagnostic path observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Deprecated Feature-Policy or unknown/overly-permissive Permissions-Policy

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

DOM-based Link Manipulation (taint flow)

Mon, 01 Jan 0001 00:00:00 +0000

Detects DOM code that rewrites link destinations (href attributes) with attacker-controlled data. Manipulated links can mislead users into visiting malicious targets even if navigation is not forced automatically.

Generated by OWASP PTK SAST Module

Dynamic ACAO without Vary: Origin

Mon, 01 Jan 0001 00:00:00 +0000

Adds passive CORS posture checks: missing Vary: Origin for dynamic ACAO, and permissive allowed headers/methods.

Generated by OWASP PTK DAST Module

ELMAH Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Environment hints (dev/staging/test) in response

Mon, 01 Jan 0001 00:00:00 +0000

Detects internal hostnames/IPs and environment hints (staging/dev/local) disclosed in observed responses.

Generated by OWASP PTK DAST Module

Environment/config file observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Expect-CT is deprecated

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Exposed Secrets in Swagger/OpenAPI Path

Mon, 01 Jan 0001 00:00:00 +0000

Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.

Exposure of Git repository

Mon, 01 Jan 0001 00:00:00 +0000

Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed ‘diff’ data about how files have been changed - which could reveal source code snippets that were never intended to be made public..

Exposure of Mercurial repository

Mon, 01 Jan 0001 00:00:00 +0000

Exposure of SVN repository

Mon, 01 Jan 0001 00:00:00 +0000

Firebase config exposed

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Full Path Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The full path of files which might be sensitive has been exposed to the client.

GitHub token pattern

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Google API key pattern

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

GraphiQL / GraphQL Playground detected

Mon, 01 Jan 0001 00:00:00 +0000

Detects exposure of API documentation, specs, and interactive consoles observed in traffic.

Generated by OWASP PTK DAST Module

GraphQL endpoint observed

Mon, 01 Jan 0001 00:00:00 +0000

Detects exposure of API documentation, specs, and interactive consoles observed in traffic.

Generated by OWASP PTK DAST Module

GraphQL Endpoint Supports Introspection

Mon, 01 Jan 0001 00:00:00 +0000

The GraphQL endpoint has Introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, etc. supported by the GraphQL endpoint. This may be valuable to an attacker, as it could enable them to craft more targeted queries.

GraphQL path observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Hidden File Found

Mon, 01 Jan 0001 00:00:00 +0000

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

HSTS max-age too low or missing includeSubDomains

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

HTML references .map files

Mon, 01 Jan 0001 00:00:00 +0000

Detects source map references and common debug artifacts in observed HTML/JS responses. These are high-value recon leads for code disclosure and hidden endpoints.

Generated by OWASP PTK DAST Module

HTTP Only Site

Mon, 01 Jan 0001 00:00:00 +0000

The site is only served under HTTP and not HTTPS.

HTTPS Content Available via HTTP

Mon, 01 Jan 0001 00:00:00 +0000

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

Image Exposes Location or Privacy Data

Mon, 01 Jan 0001 00:00:00 +0000

The image was found to contain embedded location information, such as GPS coordinates, or another privacy exposure, such as camera serial number. Depending on the context of the image in the website, this information may expose private details of the users of a site. For example, a site that allows users to upload profile pictures taken in the home may expose the home’s address.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Insecure HTTP Method - CONNECT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [CONNECT] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components.

Insecure HTTP Method - DELETE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [DELETE] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PROPFIND

Mon, 01 Jan 0001 00:00:00 +0000

This HTTP method is a WEBDAV method: PROPFIND. If this server is not offering any WEBDAV services, these methods should not be available.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [PUT] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.

Insecure HTTP Method - PUT

Mon, 01 Jan 0001 00:00:00 +0000

This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.

Insecure HTTP Method - TRACE

Mon, 01 Jan 0001 00:00:00 +0000

The insecure HTTP method [TRACE] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability.

Internal file path disclosure

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

Internal IP address leaked in response

Mon, 01 Jan 0001 00:00:00 +0000

Detects internal hostnames/IPs and environment hints (staging/dev/local) disclosed in observed responses.

Generated by OWASP PTK DAST Module

Java stack trace

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

JavaScript includes sourceMappingURL

Mon, 01 Jan 0001 00:00:00 +0000

Detects source map references and common debug artifacts in observed HTML/JS responses. These are high-value recon leads for code disclosure and hidden endpoints.

Generated by OWASP PTK DAST Module

localhost/127.0.0.1 referenced in response

Mon, 01 Jan 0001 00:00:00 +0000

Detects internal hostnames/IPs and environment hints (staging/dev/local) disclosed in observed responses.

Generated by OWASP PTK DAST Module

Mapbox token exposed

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Message handler without origin validation

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Missing Content-Security-Policy header

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing or invalid X-Content-Type-Options

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing or weak Referrer-Policy

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Missing Strict-Transport-Security header (on HTTPS)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Next.js build metadata exposed

Mon, 01 Jan 0001 00:00:00 +0000

Detects source map references and common debug artifacts in observed HTML/JS responses. These are high-value recon leads for code disclosure and hidden endpoints.

Generated by OWASP PTK DAST Module

Node.js / Express stack trace

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

OIDC well-known configuration observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags security-relevant well-known resources and metadata files when they appear in observed traffic.

Generated by OWASP PTK DAST Module

OpenAPI spec detected

Mon, 01 Jan 0001 00:00:00 +0000

Detects exposure of API documentation, specs, and interactive consoles observed in traffic.

Generated by OWASP PTK DAST Module

Origin check uses host fragment only

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

PHP fatal error / warning

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

phpinfo endpoint observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Possible Username Enumeration

Mon, 01 Jan 0001 00:00:00 +0000

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Potential .git exposure path observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Potential backup file observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Potentially authenticated content lacks no-store

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Private key material exposed

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Properties File Disclosure - /WEB-INF folder

Mon, 01 Jan 0001 00:00:00 +0000

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine

A list of targets for an attack against the application.
Potential vulnerabilities on the proxy servers that service the application.
The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.

Public-Key-Pins is deprecated

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Python traceback

Mon, 01 Jan 0001 00:00:00 +0000

Detects common framework stack traces, error pages, and path disclosures in observed responses.

Generated by OWASP PTK DAST Module

Relative Path Confusion

Mon, 01 Jan 0001 00:00:00 +0000

The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct “relative path” for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the “cross-content” response in a permissive manner, or can be tricked into permissively parsing the “cross-content” response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.

Review assignments to href/src/action

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK SAST Module

Review message event listeners

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

security.txt observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags security-relevant well-known resources and metadata files when they appear in observed traffic.

Generated by OWASP PTK DAST Module

Sensitive cookies missing security flags

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Sentry DSN exposed

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Server banner discloses software/version

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Slack token pattern

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Source Code Disclosure - /WEB-INF Folder

Mon, 01 Jan 0001 00:00:00 +0000

Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Source Code Disclosure - File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Source Code Disclosure - Git

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Source Code Disclosure - PHP

Mon, 01 Jan 0001 00:00:00 +0000

Application Source Code was disclosed by the web server. - PHP

Source Code Disclosure - SVN

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Specify postMessage targetOrigin

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Spring Boot actuator endpoint observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security sent over HTTP (ineffective)

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

Stripe publishable key exposed

Mon, 01 Jan 0001 00:00:00 +0000

Flags secret-like tokens and exposed configuration values in observed HTML/JS/JSON responses. These are recon leads; validate sensitivity before reporting.

Generated by OWASP PTK DAST Module

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Swagger UI detected

Mon, 01 Jan 0001 00:00:00 +0000

Detects exposure of API documentation, specs, and interactive consoles observed in traffic.

Generated by OWASP PTK DAST Module

Swagger/OpenAPI path observed

Mon, 01 Jan 0001 00:00:00 +0000

Flags high-value endpoint patterns observed in traffic (admin panels, debug endpoints, consoles, and backup/config file paths).

Generated by OWASP PTK DAST Module

Trace.axd Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.

Untrusted DOM data into createHTMLDocument

Mon, 01 Jan 0001 00:00:00 +0000

Detects untrusted DOM data being written into form metadata (formAction/target/method/value/placeholder), inline style surfaces (style/cssText/background*), document.title, history state, or createHTMLDocument — mutations that influence UI/navigation state without covering classic href/src/action sinks already handled elsewhere.

Generated by OWASP PTK SAST Module

Untrusted DOM data into navigation-adjacent sinks

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK SAST Module

Untrusted DOM data into UI mutation sinks

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK SAST Module

Vulnerable Swagger UI Version Detected

Mon, 01 Jan 0001 00:00:00 +0000

This Swagger UI version is known to contain vulnerabilities. Exploitation may allow unauthorized access, XSS, or token theft.

Affected versions:

Swagger UI v2 < 2.2.10
Swagger UI v3 < 3.24.3

Web Cache Deception

Mon, 01 Jan 0001 00:00:00 +0000

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

Web Message Injection (taint flow)

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

Webpack dev-server / hot reload artifacts

Mon, 01 Jan 0001 00:00:00 +0000

Detects source map references and common debug artifacts in observed HTML/JS responses. These are high-value recon leads for code disclosure and hidden endpoints.

Generated by OWASP PTK DAST Module

Wildcard reply from message handler

Mon, 01 Jan 0001 00:00:00 +0000

Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).

Generated by OWASP PTK SAST Module

WSDL File Detection

Mon, 01 Jan 0001 00:00:00 +0000

A WSDL File has been detected.

X-AspNet-Version Response Header

Mon, 01 Jan 0001 00:00:00 +0000

Server leaks information via “X-AspNet-Version”/“X-AspNetMvc-Version” HTTP response header field(s).

X-Backend-Server Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.

X-Powered-By header or equivalent present

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module

X-XSS-Protection header is a legacy directive

Mon, 01 Jan 0001 00:00:00 +0000

Generated by OWASP PTK DAST Module