You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am running zap-cli quick-scan with alert-level high, which returns zero issues, but the generated report lists Medium and Low alerts. how can I avoid the generated report, not to include any medium or low alerts. Here is how I run my tests.
97724 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | CrossSiteScriptingScanRule strength HIGH threshold HIGH
106519 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | CrossSiteScriptingScanRule in 8.797s with 0 message(s) sent and 0 alert(s) raised.
106519 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssPrimeScanRule strength HIGH threshold HIGH
114712 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssPrimeScanRule in 8.193s with 0 message(s) sent and 0 alert(s) raised.
114713 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start [host https://MYURL](https://MYURL) | PersistentXssSpiderScanRule strength HIGH threshold HIGH
119656 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssSpiderScanRule in 4.943s with 81 message(s) sent and 0 alert(s) raised.
119657 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssScanRule strength HIGH threshold HIGH
129123 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL| PersistentXssScanRule in 9.466s with 0 message(s) sent and 0 alert(s) raised.
129124 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | SqlInjectionScanRule strength HIGH threshold HIGH
136959 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | SqlInjectionScanRule in 7.836s with 0 message(s) sent and 0 alert(s) raised.
136959 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://MYURL in 107.097s with 0 alert(s) raised.
136960 [Thread-8] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 107.127s
and the xml generated report is
zap-cli report -o OWASP-ZAP-Report.xml -f xml
<?xml version="1.0"?>
<OWASPZAPReport version="2.11.1" generated="Thu, 3 Feb 2022 09:52:03">
<site name="https://MYURL" host="MYURL" port="443" ssl="true">
<alerts>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: Wildcard Directive</alert>
<name>CSP: Wildcard Directive</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: </p><p>connects-src, frame-ancestors, form-action</p><p></p><p>The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src </evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: script-src unsafe-inline</alert>
<name>CSP: script-src unsafe-inline</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>script-src includes unsafe-inline.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src </evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: style-src unsafe-inline</alert>
<name>CSP: style-src unsafe-inline</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>style-src includes unsafe-inline.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src</evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10017</pluginid>
<alertRef>10017</alertRef>
<alert>Cross-Domain JavaScript Source File Inclusion</alert>
<name>Cross-Domain JavaScript Source File Inclusion</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The page includes one or more script files from a third-party domain.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param>https://app.usercentrics.eu/latest/main.js</param>
<attack></attack>
<evidence><script type="application/javascript" src="https://app.usercentrics.eu/latest/main.js" id="u5MUYXh1"></script></evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.</p></solution>
<otherinfo></otherinfo>
<reference></reference>
<cweid>829</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10015</pluginid>
<alertRef>10015</alertRef>
<alert>Incomplete or No Cache-control Header Set</alert>
<name>Incomplete or No Cache-control Header Set</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param>Cache-Control</param>
<attack></attack>
<evidence>max-age=600, must-revalidate</evidence>
</instance>
<instance>
<uri>https://MYURL/etc/designs/dm/favicon/manifest.json</uri>
<method>GET</method>
<param>Cache-Control</param>
<attack></attack>
<evidence>max-age=600</evidence>
</instance>
</instances>
<count>2</count>
<solution><p>Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate.</p></solution>
<otherinfo></otherinfo>
<reference><p>https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching</p><p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control</p></reference>
<cweid>525</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10096</pluginid>
<alertRef>10096</alertRef>
<alert>Timestamp Disclosure - Unix</alert>
<name>Timestamp Disclosure - Unix</name>
<riskcode>1</riskcode>
<confidence>1</confidence>
<riskdesc>Low (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc><p>A timestamp was disclosed by the application/web server - Unix</p></desc>
<instances>
<instance>
<uri>https://MYURL/</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>20010904</evidence>
</instance>
<instance>
<uri>https://MYURL/</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>16777215</evidence>
</instance>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>16777215</evidence>
</instance>
</instances>
<count>3</count>
<solution><p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p></solution>
<otherinfo><p>20010904, which evaluates to: 1970-08-20 14:35:04</p></otherinfo>
<reference><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>76</sourceid>
</alertitem>
<alertitem>
<pluginid>10027</pluginid>
<alertRef>10027</alertRef>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc><p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</p></desc>
<instances>
</instances>
<count>12</count>
<solution><p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p></solution>
<otherinfo><p>The following pattern was used: \bDB\b and was detected 8 times, the first in the element starting with: "var bL=function(c4){var dg,dh,dk,c3,da,db,df,dd,cU,cW,c7,du,dQ,dl,dN,cV,cY,di,cS,dw="sizzle"+1*new Date,c2=c4.document,c8=0,cZ=0", see evidence field for the suspicious comment/snippet.</p></otherinfo>
<reference></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>84</sourceid>
</alertitem>
</alerts>
</site>
</OWASPZAPReport>
The text was updated successfully, but these errors were encountered:
codewode
changed the title
Wrong results in generated Report
Unexpected results in generated Report
Feb 3, 2022
I am running zap-cli quick-scan with alert-level high, which returns zero issues, but the generated report lists Medium and Low alerts. how can I avoid the generated report, not to include any medium or low alerts. Here is how I run my tests.
the docker logs looks like
and the xml generated report is
The text was updated successfully, but these errors were encountered: