Dast Report

1
Static/Dynamic Application Security Testing (S/DAST)
Matthew Chiappone
University of San Diego
CSOL 560: Secure Software Design Development
Prof. Mozano
10/25/2021
2
Static/Dynamic Application Security Testing (S/DAST)
Abstract
This report covers the scanning of an Open-Source Medical Device software
SecPump. “SecPump is an open wireless insulin pump system workbench that
models the insulin kinetics based on the modified Bergman's minimal model.”
(Bresch, 2020) The scan used is Static Application Security Testing. (SAST)
1. Introduction
3
ZAP Scanning Report

Generated with ZAP on Thu 21 Oct 2021, at 12:36:52
Contents
About this report
Report description
Report parameters
Summaries
Alert counts by risk and confidence
Alert counts by site and risk
Alert counts by alert type
Alerts
Risk=High, Confidence=Medium (1)
Risk=Medium, Confidence=Medium (1)
Risk=Low, Confidence=Medium (7)
Risk=Low, Confidence=Low (5)
Appendix
Alert types
4
About this report

Report description
Report parameters
Contexts
No contexts were selected, so all contexts were included by default.
Sites
The following sites were included:
http://127.0.0.1:8080
(If no sites were selected, all sites were included by default.)
An included site must also be within one of the included contexts for its data to be
included in the report.
Risk levels
Included: High, Medium, Low, Informational
Excluded: None
Confidence levels
Included: User Confirmed, High, Medium, Low
Excluded: User Confirmed, High, Medium, Low, False Positive
Summaries
5
Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the
report.
(The percentages in brackets represent the count as a percentage of the total number of alerts
included in the report, rounded to one decimal place.)
Confidence
Us
er
Confirm High Mediu Low Total
ed m
High 0 0 1 0 1
(0.0%) (0.0%) (7.1%) (0.0%) (7.1%)
Medium 0 0 1 0 1
(0.0%) (0.0%) (7.1%) (0.0%) (7.1%)
Low 0 0 7 5 12
Ris (0.0%) (0.0%) (50.0%) (35.7% (85.7%
k ) )
Information 0 0 0 0 0
al
(0.0%) (0.0%) (0.0%) (0.0%) (0.0%)
Total 0 0 9 5 14
(0.0%) (0.0%) (64.3%) (35.7% (100%)
)
Alert counts by site and risk
This table shows, for each site for which one or more alerts were raised, the number of alerts
raised at each risk level.
6
Alerts with a confidence level of "False Positive" have been excluded from these counts.
(The numbers in brackets are the number of alerts raised for the site at or above that risk
level.)
Ris
k
Informational
High Medium Low (>=
Informa
( High) Medium) (> Low)
= (>= =
tional)
http://127.0.0.1:80 1 1 12 0
Site 80 (1) (2) (14)
(14)
Alert counts by alert type
This table shows the number of alerts of each alert type, together with the alert type's risk
level.
(The percentages in brackets represent each count as a percentage, rounded to one decimal
place, of the total number of alerts included in this report.)
Alert type Risk Count

SQL Injection High 1
(7.1%)
Parameter Tampering Medium 1

(7.1%)
Absence of Anti-CSRF Tokens Low 5

(35.7%)
Cookie No HttpOnly Flag Low 1

7
(7.1%)
Cookie without SameSite Attribute Low 1

(7.1%)
Timestamp Disclosure - Unix Low 5

(35.7%)
Total 14
8
Alerts
Risk=High, Confidence=Medium (1)
http://127.0.0.1:8080 (1)
SQL Injection (1)
POST http://127.0.0.1:8080/WebGoat/register.mvc
Alert tags
OWASP_2021_A0
3
OWASP_2017_A0
1
Alert description SQL injection may be possible.
Other info The page results were successfully manipulated using

the boolean conditions [agree' AND '1'='1' -- ] and [agree'
AND '1'='2' -- ]
The parameter value being modified was NOT stripped

from the HTML output for the purposes of the
comparison
Data was returned for the original parameter.
The vulnerability was detected by successfully restricting

the data originally returned, by manipulating the
parameter
Request Request line and header section (400 bytes)
POST
http://127.0.0.1:8080/WebGoat/register.mv
c HTTP/1.1
9
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0 Pragma:
no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-
urlencoded
Referer:
http://127.0.0.1:8080/WebGoat/registratio
n
Content-Length: 87
Cookie:
JSESSIONID=aI5PMM_strdZGAvEeErLIeV65uTEHs
-F1CQJcEBg
Request body (87 bytes)
username=ZAP&password=ZAP&matchingPasswor
d=ZAP&agree=agree%27+AND+%271%27%3D%271%2
7+--+
Response Status line and header section (231 bytes)
HTTP/1.1 200 OK
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-
Date: Thu, 21 Oct 2021 17:49:50 GMT
Response body (4825 bytes)
Parameter agree
10
Attack agree' AND '1'='1' --
Solution Do not trust client side input, even if there is client side validation
in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or

CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command

Objects with strong type checking and parameterized
queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored

procedure, or use 'exec', 'exec immediate', or equivalent
functionality!
Do not create dynamic SQL queries using simple string

concatenation.
Escape all data received from the client.
Apply an 'allow list' of allowed characters, or a 'deny list'

of disallowed characters in user input.
Apply the principle of least privilege by using the least

privileged database user possible.
In particular, avoid using the 'sa' or 'db-owner'

database users. This does not eliminate SQL injection,
but minimizes its impact.
Grant the minimum database access that is necessary

for the application.
11
Risk=Medium, Confidence=Medium (1)
http://127.0.0.1:8080(1)
Parameter Tampering (1)
Alert tags
OWASP_2021_A0
4
OWASP_2017_A0
1
Alert description trace to be displayed. This

Parameter manipulation caused indicated lack of exception
an error page or Java stack handling and potential areas for
further exploit.
POST
c HTTP/1.1
Host: 127.0.0.1:8080
10.0; Win64; x64; rv:92.0)
Gecko/20100101 Firefox/92.0
Pragma: no-cache
urlencoded
Referer:
n
Content-Length: 39
Cookie:
-F1CQJcEBg
12
username=ZAP&password=ZAP&=&agree=agree

13
HTTP/1.1 500 Internal Server Error

Content-Type: application/json
Content-Disposition:
inline;filename=f.txt
Date: Thu, 21 Oct 2021 17:51:00 GMT
Parameter matchingPassword
Evidence javax.servlet.http.HttpServlet.service(Ht
tpServlet.java:517)\n\tat
Solution Identify the cause of the error and fix it. Do not trust
client side input and enforce a tight check in the server
side. Besides, catch the exception properly. Use a
generic 500 error page for internal server error.
Risk=Low, Confidence=Medium (7)

http://127.0.0.1:8080(7)
Absence of Anti-CSRF Tokens (5)
destination without their knowledge or intent in order to

perform an action as the victim. The underlying cause is
application functionality using predictable URL/form
actions in a repeatable way. The nature of the attack is
that CSRF exploits the trust that a web site has for a
user. By contrast, cross-site scripting (XSS) exploits the
trust that a user has for a web site. Like XSS, CSRF
attacks are not necessarily cross-site, but they can be.
Cross-site request forgery is also known as CSRF,
XSRF, one-click attack, session riding, confused
deputy, and sea surf.
14
CSRF attacks are effective in a number of

situations, including:
* The victim has an active session on the target site.
* The victim is authenticated via HTTP auth on the target

site.
* The victim is on the same local network as the target

site.
CSRF has primarily been used to perform an action

against a target site using the victim's privileges, but
recent techniques have been discovered to disclose
information by gaining access to the response. The risk
of information disclosure is dramatically increased when
the target site is vulnerable to XSS, because XSS can
be used as a platform for CSRF, allowing the attack to
operate within the bounds of the same-origin policy.
Other info No known Anti-CSRF token [anticsrf, CSRFToken,

RequestVerificationToken, csrfmiddlewaretoken,
authenticity_token, OWASP_CSRFTOKEN,
anoncsrf, csrf_token, _csrf, _csrfSecret,
csrf_magic, CSRF,
_token, _csrf_token] was found in the following HTML
form: [Form 1: "exampleInputEmail1"
"exampleInputPassword1" ].
15
GET http://127.0.0.1:8080/WebGoat
HTTP/1.1
Host: 127.0.0.1:8080
10.0; Win64; x64; rv:92.0)
Pragma: no-cache
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:47:48 GMT
<!DOCTYPE html>
<html
xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login Page</title>
<link rel="stylesheet"
type="text/css"
href="/WebGoat/css/main.css"/>
type="text/css"
16
href="/WebGoat/plugins/bootstrap/css/boot
17
strap.min.css"/>
type="text/css" href="/WebGoat/css/font-
awesome.min.css"/>
type="text/css"
href="/WebGoat/css/animate.css"/>
</head>
<body>
<section id="container">
<header id="header">
<div class="brand">
<a href="/WebGoat/start.mvc"
class="logo"><span>Web</span>Goat</a>
</div>
<div class="lessonTitle">
</div>
</header>
<section class="main-content-
wrapper">
<section id="main-content">
<br/><br/>
<form
action="/WebGoat/login" method='POST'
style="width: 200px;">
<div class="form-group">
<label
for="exampleInputEmail1">Username</label>
<input
autofocus="dummy_for_thymeleaf_parser"
type="text" class="form-control"
id="exampleInputEmail1"
placeholder="Username" name='username' />
</div>
18
19
<label
for="exampleInputPassword1">Password</lab
el>
<input
type="password" class="form-control"
id="exampleInputPassword1"
placeholder="Password"
name='password' />
</div>
<button class="btn btn-
primary btn-block" type="submit">Sign
in</button>
<div class="text-center">
<a href="/WebGoat/registration">Register
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>
Evidence <form action="/WebGoat/login"

method='POST' style="width: 200px;">
Solution Phase: Architecture and Design
Use a vetted library or framework that does not allow this

weakness to occur or provides constructs that make this
weakness easier to avoid.
For example, use anti-CSRF packages such as the

OWASP CSRFGuard.
Phase: Implementation
20
Ensure that your application is free of cross-site scripting

issues, because most CSRF defenses can be bypassed
using attacker-controlled script.
Phase: Architecture and Design
Generate a unique nonce for each form, place the nonce

into the form, and verify the nonce upon receipt of the
form. Be sure that the nonce is not predictable (CWE-
330).
Note that this can be bypassed using XSS.
Identify especially dangerous operations. When the user

performs a dangerous operation, send a separate
confirmation request to ensure that the user intended to
perform that operation.
Use the ESAPI Session Management control.
This control includes a component for CSRF.
Do not use the GET method for any request that triggers
a state change.
Check the HTTP Referer header to see if the request

originated from an expected page. This could break
legitimate functionality, because users or proxies may
have disabled sending the Referer for privacy reasons.
GET http://127.0.0.1:8080/WebGoat/login
Alert tags
21
OWASP_2021_A0
1
OWASP_2017_A0
5
22
Alert description CSRF attacks are effective

No Anti-CSRF tokens were in a number of situations,
found in a HTML submission including:
form.
* The victim has an active session on the
target site.
A cross-site request forgery is
an attack that involves forcing
* The victim is authenticated via
a victim to send an HTTP
HTTP auth on the target site.
request to a target destination
without their knowledge or
* The victim is on the same
intent in order to perform an
local network as the target
action as the victim. The
site.
underlying cause is application
functionality using predictable
CSRF has primarily been used
URL/form actions in a
to perform an action against a
repeatable way. The nature of
target site using the victim's
the attack is that CSRF
privileges, but recent
exploits the trust that a web
techniques have been
site has for a user. By contrast,
discovered to disclose
cross-site scripting (XSS)
information by gaining access
exploits the trust that a user
to the response. The risk of
has for a web site. Like XSS,
information disclosure is
CSRF attacks are not
dramatically increased when
necessarily cross-site, but they
the target site is vulnerable to
can be. Cross-site request
XSS, because XSS can be
forgery is also known as
used as a platform for CSRF,
CSRF, XSRF, one-click attack,
allowing the attack to operate
session riding, confused
within the bounds of the same-
origin policy.

anoncsrf,
23
csrf_token, _csrf, _csrfSecret, csrf_magic, CSRF,

GET http://127.0.0.1:8080/WebGoat/login
HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,applicati
on/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-Language: en-US
Date: Thu, 21 Oct 2021 17:47:02 GMT

24
<!DOCTYPE html>
<html
<head>
type="text/css"
type="text/css"
strap.min.css"/>
awesome.min.css"/>
type="text/css"
</head>
<body>
<div class="brand">
</div>
</div>
</header>
wrapper">
<br/><br/>
<form
25
26
<label
<input
</div>
<label
el>
<input
name='password' />
</div>
in</button>
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>

27


OWASP CSRFGuard.


330).

a state change.
28

GET http://127.0.0.1:8080/WebGoat/login?error
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
Alert description can be. Cross-site request

No Anti-CSRF tokens were forgery is also known as
found in a HTML submission CSRF, XSRF, one-click attack,
form. session riding, confused
A cross-site request forgery is
an attack that involves forcing CSRF attacks are effective
a victim to send an HTTP in a number of situations,
request to a target destination including:
intent in order to perform an * The victim has an active session on the
target site.
action as the victim. The
* The victim is authenticated via
HTTP auth on the target site.
URL/form actions in a
repeatable way. The nature of
* The victim is on the same
local network as the target
site.
29


csrf_magic, CSRF,
GET http://127.0.0.1:8080/WebGoat/login?
error HTTP/1.1
Host: 127.0.0.1:8080
10.0; Win64; x64; rv:92.0)
Pragma: no-cache
Referer:
http://127.0.0.1:8080/WebGoat/login
Cookie:
-F1CQJcEBg

30
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:48:06 GMT
<!DOCTYPE html>
<html
<head>
type="text/css"
type="text/css"
strap.min.css"/>
awesome.min.css"/>
type="text/css"
</head>
<body>
<div class="brand">
</div>
31
</div>
32
</header>
wrapper">
<div>
<p>Invalid username and
password.</p>
</div>
<br/><br/>
<form
<label
<input
</div>
<label
el>
<input
name='password' />
</div>
in</button>
33
new user</a></div>
</form>
<br/><br/>
</section>
</section>
</section>
</body>
</html>



OWASP CSRFGuard.


330).

34

a state change.

GET http://127.0.0.1:8080/WebGoat/registration
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
Alert description request to a target destination

No Anti-CSRF tokens were without their knowledge or
found in a HTML submission intent in order to perform an
form. action as the victim. The
A cross-site request forgery is functionality using predictable
an attack that involves forcing URL/form actions in a
a victim to send an HTTP repeatable way. The nature of
35

can be.
36
Cross-site request forgery is also known as CSRF,

XSRF, one-click attack, session riding, confused
CSRF attacks are effective in a number of

situations, including:
* The victim has an active session on the target site.
* The victim is authenticated via HTTP auth on the target

site.
* The victim is on the same local network as the target

site.


csrf_magic, CSRF,
form: [Form 1: "agree" "matchingPassword" "password"
"username" ].
GET
n HTTP/1.1
Host: 127.0.0.1:8080
37

10.0; Win64; x64; rv:92.0)
38
Pragma: no-cache
Referer:
Cookie:
-F1CQJcEBg
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:48:04 GMT
Evidence <form class="form-horizontal"

action="/WebGoat/register.mvc"
method='POST'>


39
OWASP CSRFGuard.
40


330).

a state change.

41
Alert tags OWASP_2021_A01

42
OWASP_2017_A05
Alert description
CSRF attacks are effective
No Anti-CSRF tokens were
in a number of situations,
found in a HTML submission
including:
form.
* The victim has an active session on the

A cross-site request forgery is target site.
an attack that involves forcing
a victim to send an HTTP * The victim is authenticated via
request to a target destination HTTP auth on the target site.
intent in order to perform an * The victim is on the same
action as the victim. The local network as the target
underlying cause is application site.
URL/form actions in a CSRF has primarily been used
repeatable way. The nature of to perform an action against a
the attack is that CSRF target site using the victim's
exploits the trust that a web privileges, but recent
site has for a user. By contrast, techniques have been
cross-site scripting (XSS) discovered to disclose
exploits the trust that a user information by gaining access
has for a web site. Like XSS, to the response. The risk of
CSRF attacks are not information disclosure is
necessarily cross-site, but they dramatically increased when
can be. Cross-site request the target site is vulnerable to
forgery is also known as XSS, because XSS can be
CSRF, XSRF, one-click attack, used as a platform for CSRF,
session riding, confused allowing the attack to operate
deputy, and sea surf. within the bounds of the same-
origin policy.

43
csrf_magic, CSRF,
form: [Form 1: "agree" "matchingPassword" "password"
"username" ].
POST
c HTTP/1.1
Host: 127.0.0.1:8080
10.0; Win64; x64; rv:92.0)
Pragma: no-cache
urlencoded
Referer:
n
Content-Length: 58
Cookie:
-F1CQJcEBg
username=ZAP&password=ZAP&matchingPasswor
d=ZAP&agree=agree
HTTP/1.1 200 OK
44
45
Date: Thu, 21 Oct 2021 17:48:06 GMT
Evidence <form class="form-horizontal"

action="/WebGoat/register.mvc"
method='POST'>


OWASP CSRFGuard.


330).

46

a state change.

Cookie No HttpOnly Flag (1)
GET http://127.0.0.1:8080/WebGoat/
Alert tags
OWASP_2021_A0
5
OWASP_2017_A0
6
Alert description this page then the cookie will

A cookie has been set without be accessible and can be
the HttpOnly flag, which means transmitted to another site. If
that the cookie can be this is a session cookie then
accessed by JavaScript. If a session hijacking may be
malicious script can be run on possible.

47
HTTP/1.1
Host: 127.0.0.1:8080
48
Linux x86_64; rv:85.0) Gecko/20100101

Firefox/85.0
Accept:
HTTP/1.1 302 Found

Set-Cookie: JSESSIONID=SQeFoh-
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq;
path=/WebGoat
Location:
Content-Length: 0
Date: Thu, 21 Oct 2021 17:47:01 GMT
Parameter JSESSIONID
Evidence Set-Cookie: JSESSIONID
Solution Ensure that the HttpOnly flag is set for all cookies.
49
Cookie without SameSite Attribute (1)

50
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
5
Alert description request. The SameSite

A cookie has been set without attribute is an effective counter
the SameSite attribute, which measure to cross-site request
means that the cookie can be forgery, cross-site script
sent as a result of a 'cross-site' inclusion, and timing attacks.
HTTP/1.1
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
HTTP/1.1 302 Found

Set-Cookie: JSESSIONID=SQeFoh-
51
IwI6ZzglEDTFxrDS_5EMhKxWs4tKpI0iq;
path=/WebGoat
52
Location:
http://127.0.0.1:8080/WebGoat/log
in Content-Length: 0
Date: Thu, 21 Oct 2021 17:47:01
GMT
Response body (0
bytes)
Parame JSESSION
ter ID
Eviden Set-Cookie:
ce JSESSIONID
Soluti Ensure that the SameSite attribute is set to either 'lax'
on or
ideally 'strict' for all cookies.
Risk=Low, Confidence=Low (5)
http://127.0.0.1:8080
(5)
Timestamp Disclosure - Unix
(5)
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/
bootstrap
.min.css
Alert OWASP_2021_A
tags 01
OWASP_2017_A
03
Alert A timestamp was disclosed by the
descripti application/web
on server - Unix
Other 00000000, which evaluates to: 1969-12-31
info 16:00:00
Requ Request line and header section (391
est bytes)
53
GET
http://127.0.0.1:8080/WebGoat/plugins/boo
tstrap/css/bootstrap.min.css HTTP/1.1
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/css,*/*;q=0.1
Referer:
https://127.0.0.1:8080/WebGoat/login
HTTP/1.1 200 OK
Accept-Ranges: bytes
Date: Thu, 21 Oct 2021 17:47:05 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Sun, 05 Sep 2021 12:44:52
GMT
Content-Type: text/css
Content-Length: 99961

54
Evidence 00000000
Solution Manually confirm that the timestamp data is not

sensitive, and that the data cannot be aggregated to
disclose exploitable patterns.
GET
http://127.0.0.1:8080/WebGoat/plugins/bootstrap/css/bootstrap
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
Alert description disclosed by the

A timestamp was application/web server -
Unix
Other info 33333333, which evaluates to: 1971-01-21 11:15:33
GET
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Referer:
55

56
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:47:05 GMT
Vary: Origin
GMT
Evidence 33333333

GET
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
57

Unix

58
GET
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Referer:
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:47:05 GMT
Vary: Origin
GMT

59
Evidence 42857143

GET
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3

Unix
GET
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Referer:
60

61
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:47:05 GMT
Vary: Origin
GMT
Evidence 66666667

GET
.min.css
Alert tags
OWASP_2021_A0
1
OWASP_2017_A0
3
62

Unix

63
GET
Host: 127.0.0.1:8080
Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Referer:
HTTP/1.1 200 OK
Date: Thu, 21 Oct 2021 17:47:05 GMT
Vary: Origin
GMT

64
Eviden 800000
ce 00
Soluti Manually confirm that the timestamp data is not
on sensitive, and that the data cannot be aggregated
to
Appendix
Alert types
This section contains additional information on the types of alerts in the report.
SQL Injection
Source raised by an active scanner (SQL Injection)
CWE ID 89
WASC ID 19
Reference
https://
cheatsheetseries.owasp.org/
cheatsheets/SQL_Injecti
on_Prevention_Cheat_Sheet.htm
l
Parameter Tampering
Source raised by an active scanner (Parameter Tampering)

65
CWE ID 472
WASC ID 20
66
Absence of Anti-CSRF Tokens
Source raised by a passive scanner (Absence of Anti-CSRF

Tokens)
CWE ID 352
WASC ID 9
Reference http://projects.webappsec.org/Cross-Site-Request-
Forgery
http://cwe.mitre.org/data/definitions/352.html
Cookie No HttpOnly Flag
Source raised by a passive scanner (Cookie No HttpOnly Flag)
CWE ID 1004
WASC ID 13
Reference https://owasp.org/www-community/HttpOnly
Cookie without SameSite Attribute
Source raised by a passive scanner (Cookie without SameSite

Attribute)
CWE ID 1275
WASC ID 13
Reference https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-
site
67
Timestamp Disclosure - Unix

Source raised by a passive scanner (Timestamp Disclosure)
CWE ID 200
WASC ID 13
Reference
http://projects.webappsec.org/w/page/
13246936/Information
%20Leakage

Dast Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dast Report

Uploaded by

Copyright:

Available Formats

1

Static/Dynamic Application Security Testing (S/DAST)

University of San Diego

CSOL 560: Secure Software Design Development

Static/Dynamic Application Security Testing (S/DAST)

ZAP Scanning Report

Alert counts by risk and confidence

Alert counts by site and risk

Alert counts by alert type

Risk=High, Confidence=Medium (1)

Risk=Medium, Confidence=Medium (1)

Risk=Low, Confidence=Medium (7)

Risk=Low, Confidence=Low (5)

About this report

No contexts were selected, so all contexts were included by default.

The following sites were included:

(If no sites were selected, all sites were included by default.)

Included: High, Medium, Low, Informational

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Alert counts by risk and confidence

Alert counts by site and risk

Alert counts by alert type

Alert type Risk Count

Parameter Tampering Medium 1

Absence of Anti-CSRF Tokens Low 5

Cookie No HttpOnly Flag Low 1

Cookie without SameSite Attribute Low 1

Timestamp Disclosure - Unix Low 5

SQL Injection (1)

Alert description SQL injection may be possible.

Other info The page results were successfully manipulated using

The parameter value being modified was NOT stripped

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting

Request Request line and header section (400 bytes)

Request body (87 bytes)

Response Status line and header section (231 bytes)

Response body (4825 bytes)

Attack agree' AND '1'='1' --

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or

If the application uses ASP, use ADO Command

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored

Do not create dynamic SQL queries using simple string

Escape all data received from the client.

Apply an 'allow list' of allowed characters, or a 'deny list'

Apply the principle of least privilege by using the least

In particular, avoid using the 'sa' or 'db-owner'

Grant the minimum database access that is necessary

Risk=Medium, Confidence=Medium (1)

Parameter Tampering (1)

Alert description trace to be displayed. This

Request Request line and header section (400 bytes)

Request body (39 bytes)

Response Status line and header section (175 bytes)

HTTP/1.1 500 Internal Server Error

Response body (11583 bytes)

Risk=Low, Confidence=Medium (7)

Absence of Anti-CSRF Tokens (5)

destination without their knowledge or intent in order to

Do not concatenate strings into queries in the stored