Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DAST scan - Investigate & fix if required results of the ZAP scan #709

Open
9 tasks
bendehaan opened this issue Mar 15, 2023 · 0 comments
Open
9 tasks

DAST scan - Investigate & fix if required results of the ZAP scan #709

bendehaan opened this issue Mar 15, 2023 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@bendehaan
Copy link
Collaborator

A ZAP baseline scan demonstrates several issues. Investigate each of these issues and create a fix if required, or leave on ignore if not relevant. Full ZAP report can be found in GitHub Actions.

Issues:

  • Information Disclosure - Suspicious Comments [10027]
  • User Controllable HTML Element Attribute (Potential XSS) [10031]
  • Non-Storable Content [10049]
  • Cookie without SameSite Attribute [10054]
  • CSP: Wildcard Directive [10055]
  • Permissions Policy Header Not Set [10063]
  • Modern Web Application [10109]
  • Dangerous JS Functions [10110]
  • Loosely Scoped Cookie [90033]

Please provide relevant logs

IGNORE: Information Disclosure - Suspicious Comments [10027] x 14 
	http://localhost:8080/webjars/bootstrap/5.2.3/js/bootstrap.bundle.min.js (200 OK)
	http://localhost:8080/webjars/datatables/1.13.2/js/dataTables.bootstrap5.min.js (200 OK)
	http://localhost:8080/webjars/datatables/1.13.2/js/jquery.dataTables.min.js (200 OK)
	http://localhost:8080/webjars/github-buttons/2.14.1/dist/buttons.js (200 OK)
	http://localhost:8080/webjars/jquery/3.6.3/jquery.js (200 OK)
IGNORE: User Controllable HTML Element Attribute (Potential XSS) [10031] x 6 
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Non-Storable Content [10049] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Cookie without SameSite Attribute [10054] x 1 
	http://localhost:8080/challenge/0 (200 OK)
IGNORE: CSP: Wildcard Directive [10055] x 12 
	http://localhost:8080 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/robots.txt (404 Not Found)
	http://localhost:8080/sitemap.xml (404 Not Found)
	http://localhost:8080 (200 OK)
IGNORE: Permissions Policy Header Not Set [10063] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Modern Web Application [10109] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Dangerous JS Functions [10110] x 1 
	http://localhost:8080/webjars/jquery/3.6.3/jquery.js (200 OK)
IGNORE: Loosely Scoped Cookie [90033] x 1 
	http://localhost:8080/challenge/0 (200 OK)

Any possible solutions?

Needs further investigation per issue.

If the bug is confirmed, would you be willing to submit a PR?

Yes

@bendehaan bendehaan added the bug Something isn't working label Mar 15, 2023
@commjoen commjoen changed the title DAST scan - ZAP issues DAST scan - Investigate & fix if required: ZAP issues Mar 20, 2023
@commjoen commjoen changed the title DAST scan - Investigate & fix if required: ZAP issues DAST scan - Investigate & fix if required results of the ZAP scan Mar 20, 2023
@commjoen commjoen added help wanted Extra attention is needed enhancement New feature or request and removed bug Something isn't working labels Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
Status: To do
Development

No branches or pull requests

2 participants