Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected results in generated Report #106

Open
codewode opened this issue Feb 3, 2022 · 0 comments
Open

Unexpected results in generated Report #106

codewode opened this issue Feb 3, 2022 · 0 comments

Comments

@codewode
Copy link

codewode commented Feb 3, 2022

I am running zap-cli quick-scan with alert-level high, which returns zero issues, but the generated report lists Medium and Low alerts. how can I avoid the generated report, not to include any medium or low alerts. Here is how I run my tests.

docker run -d -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true -config api.addrs.addr.name=".*" -config api.addrs.addr.regex=true
zap-cli policies set-strength -s "High" 
zap-cli policies set-threshold -t "High"
zap-cli  quick-scan -o '-config scanner.attackOnStart=true -config view.mode=attack -config connection.dnsTtlSuccessfulQueries=-1 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true' -s xss,sqli --spider --alert-level "High" --recursive https://MYURL

the docker logs looks like

97724 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | CrossSiteScriptingScanRule strength HIGH threshold HIGH
106519 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | CrossSiteScriptingScanRule in 8.797s with 0 message(s) sent and 0 alert(s) raised.
106519 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssPrimeScanRule strength HIGH threshold HIGH
114712 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssPrimeScanRule in 8.193s with 0 message(s) sent and 0 alert(s) raised.
114713 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - start [host https://MYURL](https://MYURL) | PersistentXssSpiderScanRule strength HIGH threshold HIGH
119656 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssSpiderScanRule in 4.943s with 81 message(s) sent and 0 alert(s) raised.
119657 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssScanRule strength HIGH threshold HIGH
129123 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL| PersistentXssScanRule in 9.466s with 0 message(s) sent and 0 alert(s) raised.
129124 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | SqlInjectionScanRule strength HIGH threshold HIGH
136959 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | SqlInjectionScanRule in 7.836s with 0 message(s) sent and 0 alert(s) raised.
136959 [Thread-9] INFO  org.parosproxy.paros.core.scanner.HostProcess - completed host https://MYURL in 107.097s with 0 alert(s) raised.
136960 [Thread-8] INFO  org.parosproxy.paros.core.scanner.Scanner - scanner completed in 107.127s

and the xml generated report is

zap-cli report -o OWASP-ZAP-Report.xml -f xml
<?xml version="1.0"?>
<OWASPZAPReport version="2.11.1" generated="Thu, 3 Feb 2022 09:52:03">
	
		<site name="https://MYURL" host="MYURL" port="443" ssl="true">
			<alerts>
				
					<alertitem>
						<pluginid>10055</pluginid>
						<alertRef>10055</alertRef>
						<alert>CSP: Wildcard Directive</alert>
						<name>CSP: Wildcard Directive</name>
						<riskcode>2</riskcode>
						<confidence>2</confidence>
						<riskdesc>Medium (Medium)</riskdesc>
						<confidencedesc>Medium</confidencedesc>
						<desc>&lt;p&gt;The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: &lt;/p&gt;&lt;p&gt;connects-src, frame-ancestors, form-action&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>default-src </evidence>
								</instance>
							
						</instances>
						<count>1</count>
						<solution>&lt;p&gt;Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.&lt;/p&gt;</solution>
						<otherinfo></otherinfo>
						<reference>&lt;p&gt;http://www.w3.org/TR/CSP2/&lt;/p&gt;&lt;p&gt;http://www.w3.org/TR/CSP/&lt;/p&gt;&lt;p&gt;http://caniuse.com/#search=content+security+policy&lt;/p&gt;&lt;p&gt;http://content-security-policy.com/&lt;/p&gt;&lt;p&gt;https://github.com/shapesecurity/salvation&lt;/p&gt;&lt;p&gt;https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources&lt;/p&gt;</reference>
						<cweid>693</cweid>
						<wascid>15</wascid>
						<sourceid>3</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10055</pluginid>
						<alertRef>10055</alertRef>
						<alert>CSP: script-src unsafe-inline</alert>
						<name>CSP: script-src unsafe-inline</name>
						<riskcode>2</riskcode>
						<confidence>2</confidence>
						<riskdesc>Medium (Medium)</riskdesc>
						<confidencedesc>Medium</confidencedesc>
						<desc>&lt;p&gt;script-src includes unsafe-inline.&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>default-src </evidence>
								</instance>
							
						</instances>
						<count>1</count>
						<solution>&lt;p&gt;Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.&lt;/p&gt;</solution>
						<otherinfo></otherinfo>
						<reference>&lt;p&gt;http://www.w3.org/TR/CSP2/&lt;/p&gt;&lt;p&gt;http://www.w3.org/TR/CSP/&lt;/p&gt;&lt;p&gt;http://caniuse.com/#search=content+security+policy&lt;/p&gt;&lt;p&gt;http://content-security-policy.com/&lt;/p&gt;&lt;p&gt;https://github.com/shapesecurity/salvation&lt;/p&gt;&lt;p&gt;https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources&lt;/p&gt;</reference>
						<cweid>693</cweid>
						<wascid>15</wascid>
						<sourceid>3</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10055</pluginid>
						<alertRef>10055</alertRef>
						<alert>CSP: style-src unsafe-inline</alert>
						<name>CSP: style-src unsafe-inline</name>
						<riskcode>2</riskcode>
						<confidence>2</confidence>
						<riskdesc>Medium (Medium)</riskdesc>
						<confidencedesc>Medium</confidencedesc>
						<desc>&lt;p&gt;style-src includes unsafe-inline.&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>default-src</evidence>
								</instance>
							
						</instances>
						<count>1</count>
						<solution>&lt;p&gt;Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.&lt;/p&gt;</solution>
						<otherinfo></otherinfo>
						<reference>&lt;p&gt;http://www.w3.org/TR/CSP2/&lt;/p&gt;&lt;p&gt;http://www.w3.org/TR/CSP/&lt;/p&gt;&lt;p&gt;http://caniuse.com/#search=content+security+policy&lt;/p&gt;&lt;p&gt;http://content-security-policy.com/&lt;/p&gt;&lt;p&gt;https://github.com/shapesecurity/salvation&lt;/p&gt;&lt;p&gt;https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources&lt;/p&gt;</reference>
						<cweid>693</cweid>
						<wascid>15</wascid>
						<sourceid>3</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10017</pluginid>
						<alertRef>10017</alertRef>
						<alert>Cross-Domain JavaScript Source File Inclusion</alert>
						<name>Cross-Domain JavaScript Source File Inclusion</name>
						<riskcode>1</riskcode>
						<confidence>2</confidence>
						<riskdesc>Low (Medium)</riskdesc>
						<confidencedesc>Medium</confidencedesc>
						<desc>&lt;p&gt;The page includes one or more script files from a third-party domain.&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param>https://app.usercentrics.eu/latest/main.js</param>
									<attack></attack>
									<evidence>&lt;script type=&quot;application/javascript&quot; src=&quot;https://app.usercentrics.eu/latest/main.js&quot; id=&quot;u5MUYXh1&quot;&gt;&lt;/script&gt;</evidence>
								</instance>
							
						</instances>
						<count>1</count>
						<solution>&lt;p&gt;Ensure JavaScript source files are loaded from only trusted sources, and the sources can&apos;t be controlled by end users of the application.&lt;/p&gt;</solution>
						<otherinfo></otherinfo>
						<reference></reference>
						<cweid>829</cweid>
						<wascid>15</wascid>
						<sourceid>3</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10015</pluginid>
						<alertRef>10015</alertRef>
						<alert>Incomplete or No Cache-control Header Set</alert>
						<name>Incomplete or No Cache-control Header Set</name>
						<riskcode>1</riskcode>
						<confidence>2</confidence>
						<riskdesc>Low (Medium)</riskdesc>
						<confidencedesc>Medium</confidencedesc>
						<desc>&lt;p&gt;The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content.&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param>Cache-Control</param>
									<attack></attack>
									<evidence>max-age=600, must-revalidate</evidence>
								</instance>
							
							
								<instance>
									<uri>https://MYURL/etc/designs/dm/favicon/manifest.json</uri>
									<method>GET</method>
									<param>Cache-Control</param>
									<attack></attack>
									<evidence>max-age=600</evidence>
								</instance>
							
						</instances>
						<count>2</count>
						<solution>&lt;p&gt;Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate.&lt;/p&gt;</solution>
						<otherinfo></otherinfo>
						<reference>&lt;p&gt;https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching&lt;/p&gt;&lt;p&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control&lt;/p&gt;</reference>
						<cweid>525</cweid>
						<wascid>13</wascid>
						<sourceid>3</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10096</pluginid>
						<alertRef>10096</alertRef>
						<alert>Timestamp Disclosure - Unix</alert>
						<name>Timestamp Disclosure - Unix</name>
						<riskcode>1</riskcode>
						<confidence>1</confidence>
						<riskdesc>Low (Low)</riskdesc>
						<confidencedesc>Low</confidencedesc>
						<desc>&lt;p&gt;A timestamp was disclosed by the application/web server - Unix&lt;/p&gt;</desc>
						<instances>
							
								<instance>
									<uri>https://MYURL/</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>20010904</evidence>
								</instance>
							
							
								<instance>
									<uri>https://MYURL/</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>16777215</evidence>
								</instance>
							
							
								<instance>
									<uri>https://MYURL</uri>
									<method>GET</method>
									<param></param>
									<attack></attack>
									<evidence>16777215</evidence>
								</instance>
							
						</instances>
						<count>3</count>
						<solution>&lt;p&gt;Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.&lt;/p&gt;</solution>
						<otherinfo>&lt;p&gt;20010904, which evaluates to: 1970-08-20 14:35:04&lt;/p&gt;</otherinfo>
						<reference>&lt;p&gt;http://projects.webappsec.org/w/page/13246936/Information%20Leakage&lt;/p&gt;</reference>
						<cweid>200</cweid>
						<wascid>13</wascid>
						<sourceid>76</sourceid>
					</alertitem>
				
				
					<alertitem>
						<pluginid>10027</pluginid>
						<alertRef>10027</alertRef>
						<alert>Information Disclosure - Suspicious Comments</alert>
						<name>Information Disclosure - Suspicious Comments</name>
						<riskcode>0</riskcode>
						<confidence>1</confidence>
						<riskdesc>Informational (Low)</riskdesc>
						<confidencedesc>Low</confidencedesc>
						<desc>&lt;p&gt;The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.&lt;/p&gt;</desc>
						<instances>
							
							
							
						</instances>
						<count>12</count>
						<solution>&lt;p&gt;Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.&lt;/p&gt;</solution>
						<otherinfo>&lt;p&gt;The following pattern was used: \bDB\b and was detected 8 times, the first in the element starting with: &quot;var bL=function(c4){var dg,dh,dk,c3,da,db,df,dd,cU,cW,c7,du,dQ,dl,dN,cV,cY,di,cS,dw=&quot;sizzle&quot;+1*new Date,c2=c4.document,c8=0,cZ=0&quot;, see evidence field for the suspicious comment/snippet.&lt;/p&gt;</otherinfo>
						<reference></reference>
						<cweid>200</cweid>
						<wascid>13</wascid>
						<sourceid>84</sourceid>
					</alertitem>
				
			</alerts>
		</site>
	
</OWASPZAPReport>
@codewode codewode changed the title Wrong results in generated Report Unexpected results in generated Report Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant