New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZAP report #13

Open

github-actions bot opened this issue Apr 6, 2024 · 1 comment

Assignees

Labels

github-actions bot commented Apr 6, 2024

Site: http://127.0.0.1:8000
New Alerts
- Web Cache Deception [40039] total: 1:
  - http://127.0.0.1:8000/web
- Deprecated Feature Policy Header Set [10063] total: 11:
- Server Leaks Version Information via "Server" HTTP Response Header Field [10036] total: 10:
- Base64 Disclosure [10094] total: 12:
- CSP: Header & Meta [10055] total: 11:
- Information Disclosure - Suspicious Comments [10027] total: 11:
- Modern Web Application [10109] total: 11:
- Non-Storable Content [10049] total: 10:
- Sec-Fetch-Dest Header is Missing [90005] total: 2:
  - http://127.0.0.1:8000/
  - http://127.0.0.1:8000/web/
- Sec-Fetch-Mode Header is Missing [90005] total: 2:
  - http://127.0.0.1:8000/
  - http://127.0.0.1:8000/web/
- Sec-Fetch-Site Header is Missing [90005] total: 2:
  - http://127.0.0.1:8000/
  - http://127.0.0.1:8000/web/
- Sec-Fetch-User Header is Missing [90005] total: 2:
  - http://127.0.0.1:8000/
  - http://127.0.0.1:8000/web/
- User Agent Fuzzer [10104] total: 396:

View the following link to download the report.
RunnerID:8583468408

Owner

mauricelambert commented Apr 7, 2024

MEDIUM - Web Cache Deception

False positive caused by WebScripts resolve path algorithm, the response is the same for /web, /test.css, /test.php ect... because it's the same page for WebScripts (the page is / and this page redirect to /web/).

MEDIUM - Hidden File Found

False positive caused by WebScripts resolve path algorithm, the response code is not 404 on /BitKeeper, /.hg, /.bzr ect... because it's the root WebScripts page for WebScripts Server.

LOW - Server Leaks Version Information via "Server" HTTP Response Header Field

This information should be overwritten by deployment (Apache and NGINX web server with WSGI and/or HTTP proxy)

LOW - Deprecated Feature Policy Header Set

Security for old Web browser

INFORMATIONAL - CSP: Header & Meta

Meta is added to protect server in debug mode
Header is added to have a complete CSP (Meta doesn't support frame-ancestors directive) and non WebScripts web page (modules, CGI, ect...) doesn't have the Meta tag for CSP

INFORMATIONAL - Base64 Disclosure

False Positive: the base64 is the CSRF Token

INFORMATIONAL - Information Disclosure - Suspicious Comments

Comments are Copyrights, the information disclosure is the web server solution (WebScripts)

INFORMATIONAL - Modern Web Application

ZAP explain "this is an informational alert and so no changes are required"
Detection: noscript tag and a tag without href in pydoc documentation

INFORMATIONAL - Sec-Fetch-User Header is Missing

Probably a False Positive, headers is set in the code and i get it in my browser

INFORMATIONAL - Sec-Fetch-Site Header is Missing

Probably a False Positive, headers is set in the code and i get it in my browser

INFORMATIONAL - Sec-Fetch-Mode Header is Missing

Probably a False Positive, headers is set in the code and i get it in my browser

INFORMATIONAL - Sec-Fetch-Dest Header is Missing

Probably a False Positive, headers is set in the code and i get it in my browser

INFORMATIONAL - Non-Storable Content

Useful to improve performance, I don't optimize this header for web hardening reasons, by default all web pages should be secure

INFORMATIONAL - User Agent Fuzzer

There is no difference by User-Agent

mauricelambert added the documentation label

mauricelambert self-assigned this

mauricelambert pinned this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment