Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities not detected behind the authcation #100

Open
fdarul opened this issue Mar 4, 2021 · 0 comments
Open

Vulnerabilities not detected behind the authcation #100

fdarul opened this issue Mar 4, 2021 · 0 comments

Comments

@fdarul
Copy link

fdarul commented Mar 4, 2021

I try to launch zap-cli on the WebGoat application.
It just detect near 20 vulnerabilities.

In fact, it does not seems to scan the url behind the authentication (basics form authent).
I create a context file form the UI, with a registered user (forced user, ..etc)
It seems that the spider-ajax does not pass behind the authentication.

zap-cli session new
zap-cli context import webgoat.context
zap-cli open-url http://localhost/WebGoat
zap-cli spider -c WebGoat -u tester http://localhost/WebGoat
zap-cli ajax-spider http://localhost/WebGoat
zap-cli -v quick-scan -c WebGoat -u tester --scanners all,xss,sqli,xss_persistent,xss_reflected --spider --ajax-spider --recursive -l Informational http://localhost/WebGoat

And i just found this :
89 SQLInjection High http://localhost/WebGoat/register.mvc
6 X-Frame-OptionsHeaderNotSet Medium http://localhost
472 ParameterTampering Medium http://localhost/WebGoat/register.mvc
16 CookieNoHttpOnlyFlag Low http://localhost/WebGoat/
16 CookieWithoutSameSiteAttribute Low http://localhost/WebGoat/
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/login
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/registration
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/login?error
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/register.mvc
16 X-Content-Type-OptionsHeaderMissing Low http://localhost
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/

Is there any problem ? Or do i misconfigured the zap-cli ?
Thank you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fdarul