Owasp Zap Scanner Output 2024-04-30

OWASP ZAP Scan Report
Target: https://41.66.249.148/
All scanned sites: https://41.66.249.148
Javascript included from: https://41.66.249.148

Generated on Tue, 30 Apr 2024 17:44:04
ZAP Version: 2.14.0
Summary of Alerts
Risk Level Number of Alerts
High 0
Medium 4
Low 4
Informational 1
Alerts
Name Risk Level Number of Instances
Content Security Policy (CSP) Header Not Set Medium 3

Cross-Domain Misconfiguration Medium 14
Missing Anti-clickjacking Header Medium 3
Vulnerable JS Library Medium 4
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) Low 42
Server Leaks Version Information via "Server" HTTP Response Header Field Low 42
Strict-Transport-Security Header Not Set Low 2
X-Content-Type-Options Header Missing Low 36
Re-examine Cache-control Directives Informational 6
Passing Rules
Name Rule Type Threshold Strength
Session Management Response Identified Passive MEDIUM -

Verification Request Identified Passive MEDIUM -
Private IP Disclosure Passive MEDIUM -
Session ID in URL Rewrite Passive MEDIUM -
Insecure JSF ViewState Passive MEDIUM -
Charset Mismatch Passive MEDIUM -
Generated by HostedScan
Cookie No HttpOnly Flag Passive MEDIUM -
Cookie Without Secure Flag Passive MEDIUM -
Cross-Domain JavaScript Source File Inclusion Passive MEDIUM -
Content-Type Header Missing Passive MEDIUM -
Application Error Disclosure Passive MEDIUM -
Information Disclosure - Debug Error Messages Passive MEDIUM -
Information Disclosure - Sensitive Information in URL Passive MEDIUM -
Information Disclosure - Sensitive Information in HTTP Referrer Header Passive MEDIUM -
Information Disclosure - Suspicious Comments Passive MEDIUM -
Open Redirect Passive MEDIUM -
Cookie Poisoning Passive MEDIUM -
User Controllable Charset Passive MEDIUM -
User Controllable HTML Element Attribute (Potential XSS) Passive MEDIUM -
WSDL File Detection Passive MEDIUM -
Loosely Scoped Cookie Passive MEDIUM -
Viewstate Passive MEDIUM -
Directory Browsing Passive MEDIUM -
Heartbleed OpenSSL Vulnerability (Indicative) Passive MEDIUM -
X-Backend-Server Header Information Leak Passive MEDIUM -
Secure Pages Include Mixed Content Passive MEDIUM -
HTTP to HTTPS Insecure Transition in Form Post Passive MEDIUM -
HTTPS to HTTP Insecure Transition in Form Post Passive MEDIUM -
User Controllable JavaScript Event (XSS) Passive MEDIUM -
Big Redirect Detected (Potential Sensitive Information Leak) Passive MEDIUM -
Retrieved from Cache Passive MEDIUM -
X-ChromeLogger-Data (XCOLD) Header Information Leak Passive MEDIUM -
Cookie without SameSite Attribute Passive MEDIUM -
CSP Passive MEDIUM -
X-Debug-Token Information Leak Passive MEDIUM -
Username Hash Found Passive MEDIUM -
X-AspNet-Version Response Header Passive MEDIUM -
PII Disclosure Passive MEDIUM -
Stats Passive Scan Rule Passive MEDIUM -
Absence of Anti-CSRF Tokens Passive MEDIUM -
Timestamp Disclosure Passive MEDIUM -
Hash Disclosure Passive MEDIUM -
Weak Authentication Method Passive MEDIUM -
Reverse Tabnabbing Passive MEDIUM -
Modern Web Application Passive MEDIUM -
Authentication Request Identified Passive MEDIUM -
Alert Detail
Medium Content Security Policy (CSP) Header Not Set
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data
injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP
Description
headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript,
CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://41.66.249.148/
Method GET
Parameter
Attack
Evidence
URL https://41.66.249.148/FlexibankUI/tpl/common/login.html?v=18
Method GET
Parameter
Attack
Evidence
URL https://41.66.249.148/FlexibankUI/tpl/common/quick-launch-panel.html
Method GET
Parameter
Attack
Evidence
Instances 3
Solution Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://www.w3.org/TR/CSP/
Reference https://w3c.github.io/webappsec-csp/
https://web.dev/articles/csp
https://caniuse.com/#feat=contentsecuritypolicy
https://content-security-policy.com/
CWE Id 693
WASC Id 15
Plugin Id 10038
Medium Cross-Domain Misconfiguration

Description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
URL https://41.66.249.148/api/Auth/
Method POST
Parameter
Attack
Evidence Access-Control-Allow-Origin: *
URL https://41.66.249.148/Chat/negotiate?negotiateVersion=1
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=1oxBXClWuoTCo6wTLzV_OQ
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=8ZRlG5wrw2fX5jXn9_JEGQ
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=d_KQczIdm5XtPvDkznx4uQ
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=dnbEgfVZgruz6Joo_uZ4hQ
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=fVNGlZ2T-74iXS9797L8Hg
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=GSN0cADoykFxhAIRPZSGbA
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=H_Oqaam5TTH8jnShwExnhw
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=lBW27Zi_GlNdcJfofPUpjg
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=O79HXWrYOzDPIhoAP6egSw
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=Qz1kFH-blhqv-4tnvJfOGA
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=RU1KWe_3t3es6gnMD7X1LA
Method POST
Parameter
Attack
URL https://41.66.249.148/Chat?id=yvYTrh-nd-nmZDm9sJzVig
Method POST
Parameter
Attack
Instances 14
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
Solution
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to
enforce the Same Origin Policy (SOP) in a more restrictive manner.
Reference https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy
CWE Id 264
WASC Id 14
Plugin Id 10098
Medium Missing Anti-clickjacking Header

Description The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
URL https://41.66.249.148/
Method GET
Parameter x-frame-options
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Instances 3
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your
site/app.
Solution
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id 1021
WASC Id 15
Plugin Id 10020
Medium Vulnerable JS Library

Description The identified library jquery, version 3.4.1 is vulnerable.
URL https://41.66.249.148/FlexibankUI/scripts/datatables.min.js
Method GET
Parameter
Attack
Evidence n.version="1.10.18";n.settings=[];n.models={};n.models.oSearch
URL https://41.66.249.148/FlexibankUI/scripts/jquery-3.4.1.min.js
Method GET
Parameter
Attack
Evidence jquery-3.4.1.min.js
URL https://41.66.249.148/FlexibankUI/vendor/angular/angular.min.js
Method GET
Parameter
Attack
Evidence /* AngularJS v1.7.2
URL https://41.66.249.148/FlexibankUI/vendor/twitter-bootstrap-wizard/bootstrap/js/bootstrap.min.js
Method GET
Parameter
Attack
Evidence * Bootstrap v3.3.0
Instances 4
Solution Please upgrade to the latest version of jquery.
Reference https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
CWE Id 829
WASC Id
Plugin Id 10003
Low Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers
Description
identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
URL https://41.66.249.148/
Method GET
Parameter
Attack
Evidence X-Powered-By: ASP.NET
URL https://41.66.249.148/api/Styles/
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/angular-datatables.buttons.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/angular-datatables.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/app.js?v=3004
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/app.main.js?v=3004
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/config.router.js?v=3004
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/custom.js?v=3004
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/directives/directive-bundle.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/extentions/extBundle.js
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/lang_en.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/noty/lib/noty.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/services/data.js?v=3004
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/services/services.js?v=3004
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/signature.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/scripts/table2Excel.js
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/angular-bootstrap/ui-bootstrap-tpls.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/angular-ui-utils/ui-utils.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/angular-xeditable/dist/js/xeditable.js
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/bootstrap-datepicker/dist/js/bootstrap-datepicker.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/bootstrap-timepicker/js/bootstrap-timepicker.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/chosen_v1.4.0/chosen.jquery.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/ocLazyLoad/dist/ocLazyLoad.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/perfect-scrollbar/js/perfect-scrollbar.jquery.js
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/sweetalert/dist/sweetalert.min.js
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/FlexibankUI/vendor/twitter-bootstrap-wizard/jquery.bootstrap.wizard.min.js
Method GET
Parameter
Attack
URL https://41.66.249.148/js/chat.js
Method GET
Parameter
Attack
URL https://41.66.249.148/js/signalr/dist/browser/signalr.js
Method GET
Parameter
Attack
URL https://41.66.249.148/robots.txt
Method GET
Parameter
Attack
URL https://41.66.249.148/sitemap.xml
Method GET
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Instances 42
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-
Reference Fingerprint_Web_Application_Framework
https://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10037
Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying
Description
other vulnerabilities your web/application server is subject to.
URL https://41.66.249.148/
Method GET
Parameter
Attack
Evidence Microsoft-IIS/8.5
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
Method GET
Parameter
Attack
URL https://41.66.249.148/robots.txt
Method GET
Parameter
Attack
URL https://41.66.249.148/sitemap.xml
Method GET
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Method POST
Parameter
Attack
Instances 42
Solution Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.
https://httpd.apache.org/docs/current/mod/core.html#servertokens
Reference https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10)
https://www.troyhunt.com/shhh-dont-let-your-response-headers/
CWE Id 200
WASC Id 13
Plugin Id 10036
Low Strict-Transport-Security Header Not Set

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser)
Description are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC
6797.
Method GET
Parameter
Attack
Evidence
Method POST
Parameter
Attack
Evidence
Instances 2
Solution Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://owasp.org/www-community/Security_Headers
Reference https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://caniuse.com/stricttransportsecurity
https://datatracker.ietf.org/doc/html/rfc6797
CWE Id 319
WASC Id 15
Plugin Id 10035
Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-
Description sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
URL https://41.66.249.148/
Method GET
Parameter x-content-type-options
Attack
Evidence
URL https://41.66.249.148/api/ImageX/
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method POST
Attack
Evidence
Method POST
Attack
Evidence
Instances 36
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web
pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by
the web application/web server to not perform MIME-sniffing.
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 693
WASC Id 15
Plugin Id 10021
Informational Re-examine Cache-control Directives

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files
Description
this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
URL https://41.66.249.148/
Method GET
Parameter cache-control
Attack
Evidence
URL https://41.66.249.148/api/ImageX/
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method GET
Attack
Evidence
Method POST
Attack
Evidence
Method POST
Attack
Evidence
Instances 6
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the
Solution
directives "public, max-age, immutable".
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id 525
WASC Id 13
Plugin Id 10015

Owasp Zap Scanner Output 2024-04-30

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Owasp Zap Scanner Output 2024-04-30

Uploaded by

Copyright:

Available Formats

OWASP ZAP Scan Report

Javascript included from: https://41.66.249.148

ZAP Version: 2.14.0

Risk Level Number of Alerts

Name Risk Level Number of Instances

Content Security Policy (CSP) Header Not Set Medium 3

Name Rule Type Threshold Strength

Session Management Response Identified Passive MEDIUM -

Medium Cross-Domain Misconfiguration

Medium Missing Anti-clickjacking Header

Medium Vulnerable JS Library

Low Strict-Transport-Security Header Not Set

Low X-Content-Type-Options Header Missing

Informational Re-examine Cache-control Directives

You might also like