Report Generation on ZAP

Report Templates

Mon, 01 Jan 0001 00:00:00 +0000

Report Templates

The following templates are available:

Name / Link to Details, Screenshot/Sample	ID	Format	Sections	Themes
High Level Report Sample	high-level-report	HTML	Yes
Modern HTML Report with themes and options	modern	HTML	Yes	Yes
Risk and Confidence HTML	risk-confidence-html	HTML	Yes
Traditional HTML Report	traditional-html	HTML	Yes
Traditional HTML Report with Requests and Responses	traditional-html-plus	HTML	Yes	Yes
Traditional JSON Report	traditional-json	JSON
Traditional JSON Report with Requests and Responses	traditional-json-plus	JSON	Yes
SARIF JSON Report	sarif-json	JSON
Traditional Markdown Report	traditional-md	Markdown	Yes
Traditional PDF Report	traditional-pdf	PDF	Yes
Traditional XML Report	traditional-xml	XML
Traditional XML Report with Requests and Responses	traditional-xml-plus	XML

Report Generation Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation Automation Framework Support

This add-on supports the Automation Framework.

Job: report

The report job allows you to generate reports using any of the installed report templates.

Creating Reports

Mon, 01 Jan 0001 00:00:00 +0000

Creating Reports

You can easily create your own reports.

The add-on uses the Thymeleaf templating engine, so see their documentation for details of the templating syntax.

The built in reports are copied into the ‘reports’ directory underneath the ZAP default directory. Each report is in its own subdirectory. The easiest way to create a new report is to copy and existing one into a new directory at the same level.

Report Generation - About

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/reports

Authors

ZAP Dev Team

Report Generation API

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation API

The following operations are added to the API:

Views

templates: View available templates.
templateDetails (template*): View details of the specified template.

Actions

generate (title* template* theme description contexts sites sections includedConfidences includedRisks reportFileName reportFileNamePattern reportDir display): Generate a report with the supplied parameters.
- title: Report Title
- template: Report Template
- theme: Report Theme
- description: Report Description
- contexts: The name of the contexts to be included in the report, separated by ‘|’. For example, “Default Context|My Context”.
- sites: The site URLs that should be included in the report, separated by ‘|’.
- sections: The report sections that should be included, separated by ‘|’. View section names via API view templateDetails (template*)
- includedConfidences: Confidences that should be included in the report, separated by ‘|’. Accepted values are “False Positive”, “Low”, “Medium”, “High”, and “Confirmed”.
- includedRisks: Risks that should be included in the report, separated by ‘|’. Accepted values are “Informational”, “Low”, “Medium”, and “High”.
- reportFileName: The file name of the generated report. This value overrides the reportFileNamePattern parameter.
- reportFileNamePattern: Report File Name Pattern. For example, {{yyyy-MM-dd}}-ZAP-Report-[[site]].
- reportDir: Path to directory in which the generated report should be placed.
- display: Display the generated report. Either “true” or “false”.

High Level Report Sample

Mon, 01 Jan 0001 00:00:00 +0000

High Level Report Sample

Sections

Section	ID
Risk Summary Chart	riskSummaryChart
No. of Bug Occurrences Count	bugsCountChart
Insights	insights
Vulnerability Impact	vulnerabilityImpact

Screenshot

Modern HTML Report with themes and options

Mon, 01 Jan 0001 00:00:00 +0000

Modern HTML Report with themes and options

Sections

Section	ID
Chart	chart
Alert Count	alertcount
Insights	insights
Instance Count	instancecount
Passing Rules	passingrules
Alert Details	alertdetails
Statistics	statistics
Parameters	params

Themes

Theme	ID
Console [Dark / Green]	console
Construction [Light / Orange]	construction
Corporate [Light / Blue]	corporate
Marketing [Light / Purple]	marketing
Mountain [Light / Dark Blue]	mountain
Nature [Light / Green]	nature
Ocean [Light / Blue]	ocean
Plutonium [Dark / Green]	plutonium
Skyline [Dark / Pink]	skyline
Technology [Dark / Red]	technology

Screenshot

Risk and Confidence HTML

Mon, 01 Jan 0001 00:00:00 +0000

Risk and Confidence HTML

Sections

Section	ID
Contents	contents
About This Report	aboutThisReport
Report Description	reportDescription
Report Parameters	reportParameters
Summaries	summaries
Alert Counts by Risk and Confidence	riskConfidenceCounts
Alert Counts by Site and Risk	siteRiskCounts
Alert Counts by Alert Type	alertTypeCounts
Insights	insights
Alerts	alerts
Request Line and Header Section	requestHeader
Request Body	requestBody
Response Status Line and Header Section	responseHeader
Response Body	responseBody
Appendix	appendix
Alert Types	alertTypes

Screenshot

SARIF JSON Report

Mon, 01 Jan 0001 00:00:00 +0000

SARIF JSON Report

Sample

{
   "runs": [
      {
         "results": [ 
            {
               "level": "error",
               "locations": [
                  {
                     "physicalLocation": {
                        "artifactLocation": {
                           "uri": "https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E"
                        },
                        "region": {
                           "startLine": 10, 
                           "snippet": {
                               "text": "<\/p><script>alert(1);<\/script><p>"
                           }
                        }
                     },
                     "properties": {
                         "attack": "<\/p><script>alert(1);<\/script><p>"
                     }
                  }
               ],
               "message": {
                  "text": "Some other additional information which shall appear inside the message"
               },
               "ruleId": "40012",
               "webRequest": {
                   "protocol": "HTTP",
                   "version": "1.1",
                   "target": "https://127.0.0.1:8080/greeting?name=%3C%2Fp%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cp%3E",
                   "method": "GET",
                   "headers": {
                       "Cache-Control" : "no-cache",
                       "Content-Length" : "0",
                       "Cookie" : "JSESSIONID=38AA1F7A61982DF1073D7F43A3707798; locale=de",
                       "Host" : "127.0.0.1:8080",
                       "Pragma" : "no-cache",
                       "Referer" : "https:\/\/127.0.0.1:8080\/hello",
                       "User-Agent" : "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko\/20100101 Firefox\/92.0"
                   },
                   "body": {
                       
                   }
               },
               "webResponse": {
                   "statusCode": 200,
                   "reasonPhrase": "",
                   "protocol": "HTTP",
                   "version": "1.1",
                   "headers": {
                       "Cache-Control" : "no-cache, no-store, max-age=0, must-revalidate",
                       "Content-Language" : "en-US",
                       "Content-Security-Policy" : "script-src 'self'",
                       "Content-Type" : "text\/html;charset=UTF-8",
                       "Date" : "Thu, 11 Nov 2021 09:56:20 GMT",
                       "Expires" : "0",
                       "Pragma" : "no-cache",
                       "Referrer-Policy" : "no-referrer",
                       "Set-Cookie" : "locale=de; HttpOnly; SameSite=strict",
                       "Strict-Transport-Security" : "max-age=31536000 ; includeSubDomains",
                       "X-Content-Type-Options" : "nosniff",
                       "X-Frame-Options" : "DENY",
                       "X-XSS-Protection" : "1; mode=block"
                   },
                   "body": {
                       "text": "<!DOCTYPE HTML>\n<html>\n<head>\n    <title>Getting Started: Serving Web Content<\/title>\n    <meta http-equiv=\"Content-Type\" content=\"text\/html; charset=UTF-8\" \/>\n<\/head>\n<body>\n    <!-- unsecure text used (th:utext instead th:text)- to create vulnerability (XSS) -->\n    <!-- simple usage: http:\/\/localhost:8080\/greeting?name=Test2<\/p><script>;alert(\"hallo\")<\/script> -->\n    <p >XSS attackable parameter output: <\/p><script>alert(1);<\/script><p>!<\/p>\n<\/body>\n<\/html>"
                   },
                   "noResponseReceived": false
               }
            }
         ],
         "taxonomies": [
            {
               "downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.8.xml.zip",
               "guid":  "b000a760-3e52-3565-a35c-f61369da53b7",
               "informationUri": "https://cwe.mitre.org/data/published/cwe_v4.8.pdf/",
               "isComprehensive": true,
               "language": "en",
               "minimumRequiredLocalizedDataSemanticVersion": "4.8",
               "name":  "CWE",
               "organization": "MITRE",
               "releaseDateUtc": "2022-06-28",
               "shortDescription": {
                  "text": "The MITRE Common Weakness Enumeration"
               },
               "taxa": [
                  {
                     "guid": "5dd429c8-e5e3-37a8-bf40-f7b2d72a9085",
                     "helpUri": "https://cwe.mitre.org/data/definitions/79.html",
                     "id": "79"
                  }
               ],
               "version": "4.4"
            }
         ],
         "tool": {
            "driver": {
               "guid": "840570e4-2388-38c0-8afe-ed426f2f5199",
               "informationUri": "https://www.zaproxy.org/",
               "name": "ZAP",
               "rules": [ 
                  {
                     "id": "40012",
                     "defaultConfiguration": {
                        "level": "error"
                     },
                     "fullDescription": {
                        "text": "CSS Description\nMultiple lines\n\nEnd"
                     },
                     "name": "Cross Site Scripting",
                     "properties": {
                            "references": [
                                "http://projects.webappsec.org/Cross-Site-Scripting",
                                "http://cwe.mitre.org/data/definitions/79.html"
                            ],
                            "solution": {
                                "text": "Phase: 1\n\nDo ...."
                            },
                            "confidence": "medium"
                     },
                     "relationships": [ 
                        {
                           "kinds": [
                              "superset"
                           ],
                           "target": {
                              "guid":"5dd429c8-e5e3-37a8-bf40-f7b2d72a9085",
                              "id": "79",
                              "toolComponent": {
                                 "guid": "b000a760-3e52-3565-a35c-f61369da53b7",
                                 "name": "CWE"
                              }
                           }
                        }
                        
                     ],
                     "shortDescription": {
                        "text": "Cross Site Scripting"
                     }
                  }
                  
               ],
               "semanticVersion": "Dev Build",
               "supportedTaxonomies": [ 
                  {
                     "guid": "b000a760-3e52-3565-a35c-f61369da53b7",
                     "name": "CWE"
                  }
               ],
               "version": "Dev Build"
            }
         }
      }
   ],
   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0"
}

Traditional HTML

Mon, 01 Jan 0001 00:00:00 +0000

Traditional HTML

Sections

Section	ID
Alert Count	alertcount
Insights	insights
Instance Count	instancecount
Alert Details	alertdetails
Sequence Details	sequencedetails

Screenshot

Traditional HTML with Requests and Responses

Mon, 01 Jan 0001 00:00:00 +0000

Traditional HTML with Requests and Responses

Sections

Section	ID
Chart	chart
Alert Count	alertcount
Insights	insights
Instance Count	instancecount
Passing Rules	passingrules
Alert Details	alertdetails
Statistics	statistics
Parameters	params
Sequence Details	sequencedetails

Sequence Support

If “Sequence Details” are included in the report. Both a summary section and details section will be included.

Traditional JSON Report

Mon, 01 Jan 0001 00:00:00 +0000

Traditional JSON Report

Sample

{
    "@version": "Dev Build",
    "@generated": "Fri, 4 Feb 2022 13:04:51",
    "created": "2022-02-04T13:04:51.236211400Z",
	"insights":[
		{
			"level": "Info",
			"reason": "Informational",
			"site": "http://localhost:8080",
			"key": "insight.code.2xx",
			"description": "Percentage of responses with status code 2xx",
			"statistic": "95"
		}, ...
	],
    "site":[
        {
            "@name": "http://localhost:8080",
            "@host": "localhost",
            "@port": "8080",
            "@ssl": "false",
            "alerts": [
                {
                    "pluginid": "40012",
                    "alertRef": "40012",
                    "alert": "Cross Site Scripting (Reflected)",
                    "name": "Cross Site Scripting (Reflected)",
                    "riskcode": "3",
                    "confidence": "2",
                    "riskdesc": "High (Medium)",
                    "desc": "<p>Cross-site Scripting (XSS) is an attack technique that involves ...</p>",
                    "instances":[
                        {
                            "uri": "http://localhost:8080/bodgeit/search.jsp?q=%3C%2Ffont%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Cfont%3E",
                            "nodeName": "http://localhost:8080/bodgeit/search.jsp (q)",
                            "method": "GET",
                            "param": "q",
                            "attack": "</font><scrIpt>alert(1);</scRipt><font>",
                            "evidence": "</font><scrIpt>alert(1);</scRipt><font>",
                            "otherinfo": ""
                        },
                        {
                            "uri": "http://localhost:8080/bodgeit/contact.jsp",
                            "nodeName": "http://localhost:8080/bodgeit/contact.jsp",
                            "method": "POST",
                            "param": "comments",
                            "attack": "</td><scrIpt>alert(1);</scRipt><td>",
                            "evidence": "</td><scrIpt>alert(1);</scRipt><td>",
                            "otherinfo": ""
                        }
                    ],                   
                    "count": "2", 
                    "systemic": false, 
                    "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not ...</p>",
                    "otherinfo": "",
                    "reference": "<p>http://projects.webappsec.org/Cross-Site-Scripting</p><p>http://cwe.mitre.org/data/definitions/79.html</p>",
                    "cweid": "79",
                    "wascid": "8",
                    "sourceid": "36977"
                },

The report can also include details of Sequences and related active scanning results, for example:

Traditional JSON Report with Requests and Responses

Mon, 01 Jan 0001 00:00:00 +0000

Traditional JSON Report with Requests and Responses

Sections

Section	ID
Statistics	statistics
Sequence Details	sequencedetails
Automation Framework State	afstate

Sample

{
    "@version": "Dev Build",
    "@generated": "Fri, 4 Feb 2022 13:04:51",
    "created": "2022-02-04T13:04:51.236211400Z",
	"insights":[
		{
			"level": "Info",
			"reason": "Informational",
			"site": "http://localhost:8080",
			"key": "insight.code.2xx",
			"description": "Percentage of responses with status code 2xx",
			"statistic": "95"
		}, ...
	],
    "site":[
        {
            "@name": "http://localhost:8080",
            "@host": "localhost",
            "@port": "8080",
            "@ssl": "false",
            "alerts": [
                {
                    "pluginid": "40012",
                    "alertRef": "40012",
                    "alert": "Cross Site Scripting (Reflected)",
                    "name": "Cross Site Scripting (Reflected)",
                    "riskcode": "3",
                    "confidence": "2",
                    "riskdesc": "High (Medium)",
                    "desc": "<p>Cross-site Scripting (XSS) is an attack technique that involves ...</p>",
                    "instances":[
                        {
                            "uri": "http://localhost:8080/bodgeit/search.jsp?q=%3C%2Ffont%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Cfont%3E",
                            "nodeName": "http://localhost:8080/bodgeit/search.jsp (q)",
                            "method": "GET",
                            "param": "q",
                            "attack": "</font><scrIpt>alert(1);</scRipt><font>",
                            "evidence": "</font><scrIpt>alert(1);</scRipt><font>",
                            "otherinfo": "",
                            "request-header": "GET http://localhost:8080/bodgeit/search.jsp?q=%3C%2Ffont%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Cfont%3E HTTP/1.1\r\n...",
                            "request-body": "",
                            "response-header": "HTTP/1.1 200\r\nContent-Type: text/html;charset=ISO-8859-1\r\nContent-Length: 2045\r\nDate: Fri, 04 Feb 2022 11:56:38 GMT\r\n\r\n",
                            "response-body": "\n\n\n\n\n\n\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<html>..."
                        },
                        {
                            "uri": "http://localhost:8080/bodgeit/contact.jsp",
                            "nodeName": "http://localhost:8080/bodgeit/contact.jsp",
                            "method": "POST",
                            "param": "comments",
                            "attack": "</td><scrIpt>alert(1);</scRipt><td>",
                            "evidence": "</td><scrIpt>alert(1);</scRipt><td>",
                            "otherinfo": "",
                            "request-header": "POST http://localhost:8080/bodgeit/contact.jsp HTTP/1.1\r\nHost: localhost:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0)...",
                            "request-body": "null=&anticsrf=0.7583553183173598&comments=%3C%2Ftd%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ctd%3E",
                            "response-header": "HTTP/1.1 200\r\nContent-Type: text/html;charset=ISO-8859-1\r\nContent-Length: 2025\r\nDate: Fri, 04 Feb 2022 11:56:35 GMT\r\n\r\n",
                            "response-body": "\n\n\n\n\n\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<html>..."
                        }
                    ],                   
                    "count": "2", 
                    "systemic": false, 
                    "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not ...</p>",
                    "otherinfo": "",
                    "reference": "<p>http://projects.webappsec.org/Cross-Site-Scripting</p><p>http://cwe.mitre.org/data/definitions/79.html</p>",
                    "cweid": "79",
                    "wascid": "8",
                    "sourceid": "36977",
                    "tags":[ 
                        {
                            "tag": "OWASP_2021_A03",
                            "link": "https://owasp.org/Top10/A03_2021-Injection/"
                        },
                        {
                            "tag": "WSTG-v42-INPV-01",
                            "link": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting"
                        },
                        {
                            "tag": "OWASP_2017_A07",
                            "link": "https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html"
                        }
                    ]
                },
                ...
            ]
        }
    ]
}

Statistics Section

The report can also include statistics, per site and global, for example:

Traditional Markdown Report

Mon, 01 Jan 0001 00:00:00 +0000

Traditional Markdown Report

Sections

Section	ID
Alert Count	alertcount
Insights	insights
Instance Count	instancecount
Alert Details	alertdetails

Sample

Header `Risk (Confidence)`

This header is a combination identifier, showing Risk followed by Confidence. For example High (Medium) , would indicate a High risk issue identified with Medium confidence.

Traditional PDF

Mon, 01 Jan 0001 00:00:00 +0000

Traditional PDF

Sections

Section	ID
Alert Count	alertcount
Insights	insights
Instance Count	instancecount
Alert Details	alertdetails

Screenshot

Traditional XML Report

Mon, 01 Jan 0001 00:00:00 +0000

Traditional XML Report

Sample

<?xml version="1.0"?>
<OWASPZAPReport version="Dev Build" generated="Fri, 4 Feb 2022 17:42:18" created="2022-02-04T17:42:18.236211400Z">
    
        <site name="http://localhost:8080" host="localhost" port="8080" ssl="false">
            <alerts>

                    <alertitem>
                        <pluginid>20012</pluginid>
                        <alertRef>20012</alertRef>
                        <alert>Anti-CSRF Tokens Check</alert>
                        <name>Anti-CSRF Tokens Check</name>
                        <riskcode>3</riskcode>
                        <confidence>2</confidence>
                        <riskdesc>High (Medium)</riskdesc>
                        <confidencedesc>Medium</confidencedesc>
                        <desc><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge...</desc>
                        <instances>
                                <instance>
                                    <uri>http://localhost:8080/bodgeit/advanced.jsp</uri>
                                    <nodeName>http://localhost:8080/bodgeit/advanced.jsp</nodeName>
                                    <method>GET</method>
                                    <param></param>
                                    <attack></attack>
                                    <evidence><form id="advanced" name="advanced" method="POST" onsubmit="return validateForm(this);false;"></evidence>
                                    <otherinfo></otherinfo>
                                </instance>

                                <instance>
                                    <uri>http://localhost:8080/bodgeit/advanced.jsp</uri>
                                    <nodeName>http://localhost:8080/bodgeit/advanced.jsp</nodeName>
                                    <method>GET</method>
                                    <param></param>
                                    <attack></attack>
                                    <evidence><form id="query" name="advanced" method="POST"></evidence>
                                    <otherinfo></otherinfo>
                                </instance>

                                <instance>
                                    <uri>http://localhost:8080/bodgeit/basket.jsp</uri>
                                    <nodeName>http://localhost:8080/bodgeit/basket.jsp</nodeName>
                                    <method>GET</method>
                                    <param></param>
                                    <attack></attack>
                                    <evidence><form action="basket.jsp" method="post"></evidence>
                                    <otherinfo></otherinfo>
                                </instance>
                        <count>2</count>
                        <systemic>false</systemic>
                        <solution>The solution</solution>
                        <otherinfo>The other info</otherinfo>

Traditional XML Report with Requests and Responses

Mon, 01 Jan 0001 00:00:00 +0000

Traditional XML Report with Requests and Responses

Sample

        <?xml version="1.0"?>
        <OWASPZAPReport version="2.11.1" generated="Fr., 30 Sep. 2022 08:40:35" created="2022-09-30T08:40:35.236211400Z">
                        <site name="http://localhost:8080" host="localhost" port="8080" ssl="false">
                                <alerts>
                                        
                                                <alertitem>
                                                        <pluginid>90027</pluginid>
                                                        <alertRef>90027</alertRef>
                                                        <alert>Cookie Slack Detector</alert>
                                                        <name>Cookie Slack Detector</name>
                                                        <riskcode>1</riskcode>
                                                        <confidence>1</confidence>
                                                        <riskdesc>Low (Low)</riskdesc>
                                                        <confidencedesc>Low</confidencedesc>
                                                        <desc>Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.</desc>
                                                        <instances>
                                                                
                                                                        <instance>
                                                                                <uri>http://localhost:8080/bodgeit/js</uri>
                                                                                <nodeName>http://localhost:8080/bodgeit/js</nodeName>
                                                                                <method>GET</method>
                                                                                <param></param>
                                                                                <attack></attack>
                                                                                <evidence></evidence>
                                                                                <otherinfo></otherinfo>
                                                                                <requestheader>GET http://localhost:8080/bodgeit/js HTTP/1.1
        Host: localhost:8080
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0
        Accept: */*
        Accept-Language: de,en-US;q=0.7,en;q=0.3
        Connection: keep-alive
        Referer: https://localhost:8080/bodgeit/
        Cookie: JSESSIONID=9E75E26E50F681208096FFAA0B566901
        Sec-Fetch-Dest: script
        Sec-Fetch-Mode: no-cors
        Sec-Fetch-Site: same-origin
        Content-Length: 0
        
        </requestheader>
                                                                                <requestbody></requestbody>
                                                                                <responseheader>HTTP/1.1 302 Found
        Server: Apache-Coyote/1.1
        Location: /bodgeit/js/
        Content-Length: 0
        Date: Fri, 30 Sep 2022 06:40:17 GMT
        
        </responseheader>
                                                                                <responsebody></responsebody>
                                                                        </instance>
                                                                
                                                                
                                                                        <instance>
                                                                                <uri>http://localhost:8080/bodgeit/js/util.js</uri>
                                                                                <nodeName>http://localhost:8080/bodgeit/js/util.js</nodeName>
                                                                                <method>GET</method>
                                                                                <param></param>
                                                                                <attack></attack>
                                                                                <evidence></evidence>
                                                                                <otherinfo></otherinfo>
                                                                                <requestheader>GET http://localhost:8080/bodgeit/js/util.js HTTP/1.1
        Host: localhost:8080
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:105.0) Gecko/20100101 Firefox/105.0
        Accept: */*
        Accept-Language: de,en-US;q=0.7,en;q=0.3
        Connection: keep-alive
        Referer: https://localhost:8080/bodgeit/
        Cookie: JSESSIONID=9E75E26E50F681208096FFAA0B566901
        Sec-Fetch-Dest: script
        Sec-Fetch-Mode: no-cors
        Sec-Fetch-Site: same-origin
        Content-Length: 0
        
        </requestheader>
                                                                                <requestbody></requestbody>
                                                                                <responseheader>HTTP/1.1 200 OK
        Server: Apache-Coyote/1.1
        Accept-Ranges: bytes
        ETag: W/&quot;1812-1343651578000&quot;
        Last-Modified: Mon, 30 Jul 2012 12:32:58 GMT
        Content-Type: application/javascript
        Content-Length: 1812
        Date: Fri, 30 Sep 2022 06:40:17 GMT
        
        </responseheader>
                                                                                <responsebody>
        function loadfile(filename){
                var filetype = filename.split(&apos;.&apos;).pop();
                switch (filetype){
                case &quot;js&quot;:
                        var insert=document.createElement(&apos;script&apos;)
                        insert.setAttribute(&quot;type&quot;,&quot;text/javascript&quot;)
                        insert.setAttribute(&quot;src&quot;, filename)
                        break;
                case &apos;css&apos;:
                var insert=document.createElement(&quot;link&quot;);
                insert.setAttribute(&quot;type&quot;, &quot;text/css&quot;)
                insert.setAttribute(&quot;href&quot;, filename)
                insert.setAttribute(&quot;rel&quot;, &quot;stylesheet&quot;)
                break;
                }
                if (typeof insert!=&quot;undefined&quot;)
                document.getElementsByTagName(&quot;head&quot;)[0].appendChild(insert);
                return false;
        }
        
        
        ////The following is from:
        //http://stackoverflow.com/questions/316781/how-to-build-query-string-with-javascript
        
        function form_to_params( form )
        {
                var output = &quot;&quot;;
                var length = form.elements.length
                for( var i = 0; i &lt; length; i++ )
                {
                element = form.elements[i]
        
                if(element.tagName == &apos;TEXTAREA&apos; )
                {
                        output += &quot;|&quot; + element.name + &quot;:&quot; + element.value; 
                }
                else if( element.tagName == &apos;INPUT&apos; )
                {
                        switch(element.type){
                        case &apos;radio&apos;:
                        case &apos;checkbox&apos;:
                                if(element.checked &amp;&amp; !element.value){
                                output += &quot;|&quot; + element.name + &quot;:on&quot;;
                                break;
                                }
                        case &apos;text&apos;:
                        case &apos;hidden&apos;:
                        case &apos;password&apos;:
                                if(element.value)
                                output += &quot;|&quot; + element.name + &quot;:&quot; + element.value;
                        break;     
                        }
                }
                }
                return output.substring(1);
        }
        
        
        function htmlEntities(str) {
                return String(str).replace(/&amp;/g, &apos;&amp;amp;&apos;).replace(/&lt;/g, &apos;&amp;lt;&apos;).replace(/&gt;/g, &apos;&amp;gt;&apos;).replace(/&quot;/g, &apos;&amp;quot;&apos;);
        }</responsebody>
                                                                        </instance>
                                                                
                                                        </instances>
                                                        <count>3</count>
                                                        <systemic>false</systemic>
                                                        <solution></solution>
                                                        <otherinfo>NOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] 
        Cookies that don&apos;t have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.
        These cookies affected the response: 
        These cookies did NOT affect the response: JSESSIONID
        </otherinfo>
                                                        <reference>http://projects.webappsec.org/Fingerprinting
        </reference>
                                                        <cweid>200</cweid>
                                                        <wascid>45</wascid>
                                                        <sourceid>2420</sourceid>
                                                        <tags>
                                                                <tag>
                                                                        <tag>OWASP_2017_A06 </tag>
                                                                        <link>https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html </link>
                                                                </tag>
                                                                <tag>
                                                                        <tag>OWASP_2021_A05 </tag>
                                                                        <link>https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ </link>
                                                                </tag>
                                                                <tag>
                                                                        <tag>WSTG-v42-SESS-02 </tag>
                                                                        <link>https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes </link>
                                                                </tag>

                                                        </tags>
                                                </alertitem>
                                </alerts>
                                <statistics>
                                        <statistic>
                                                <key>site.specific.stat.a</key>
                                                <value>1</value>
                                        </statistic>
                                        <statistic>
                                                <key>site.specific.stat.b</key>
                                                <value>2</value>
                                        </statistic>
                                </statistics>
                        </site>
                        <statistics>
                                <statistic>
                                        <key>global.stat.a</key>
                                        <value>1</value>
                                </statistic>
                                <statistic>
                                        <key>global.stat.b</key>
                                        <value>2</value>
                                </statistic>
                        </statistics>
        </OWASPZAPReport>

Report Generation on ZAP

Report Templates

Report Templates

Report Generation Automation Framework Support

Report Generation Automation Framework Support

Job: report

Creating Reports

Creating Reports

Report Generation - About

Report Generation - About

Source Code

Authors

Report Generation API

Report Generation API

Views

Actions

High Level Report Sample

High Level Report Sample

Sections

Screenshot

Modern HTML Report with themes and options

Modern HTML Report with themes and options

Sections

Themes

Screenshot

Risk and Confidence HTML

Risk and Confidence HTML

Sections

Screenshot

SARIF JSON Report

SARIF JSON Report

Sample

Traditional HTML

Traditional HTML

Sections

Screenshot

Traditional HTML with Requests and Responses

Traditional HTML with Requests and Responses

Sections

Sequence Support

Traditional JSON Report

Traditional JSON Report

Sample

Traditional JSON Report with Requests and Responses

Traditional JSON Report with Requests and Responses

Sections

Sample

Statistics Section

Traditional Markdown Report

Traditional Markdown Report

Sections

Sample

Header Risk (Confidence)

Traditional PDF

Traditional PDF

Sections

Screenshot

Traditional XML Report

Traditional XML Report

Sample

Traditional XML Report with Requests and Responses

Traditional XML Report with Requests and Responses

Sample

Header `Risk (Confidence)`