Skip to content

DAST scan - Investigate & fix if required results of the ZAP scan #709

New issue
New issue
Open
#2121
Open
DAST scan - Investigate & fix if required results of the ZAP scan#709
#2121
Assignees
commjoencopilot-swe-agent
Labels
enhancementNew feature or requesthacktoberfesthelp wantedExtra attention is needed
@bendehaan

Description

@bendehaan
bendehaan
opened on Mar 15, 2023

A ZAP baseline scan demonstrates several issues. Investigate each of these issues and create a fix if required, or leave on ignore if not relevant. Full ZAP report can be found in GitHub Actions.

Issues:

  • Information Disclosure - Suspicious Comments [10027]
  • User Controllable HTML Element Attribute (Potential XSS) [10031]
  • Non-Storable Content [10049]
  • Cookie without SameSite Attribute [10054]
  • CSP: Wildcard Directive [10055]
  • Permissions Policy Header Not Set [10063]
  • Modern Web Application [10109]
  • Dangerous JS Functions [10110]
  • Loosely Scoped Cookie [90033]

Please provide relevant logs

IGNORE: Information Disclosure - Suspicious Comments [10027] x 14 
	http://localhost:8080/webjars/bootstrap/5.2.3/js/bootstrap.bundle.min.js (200 OK)
	http://localhost:8080/webjars/datatables/1.13.2/js/dataTables.bootstrap5.min.js (200 OK)
	http://localhost:8080/webjars/datatables/1.13.2/js/jquery.dataTables.min.js (200 OK)
	http://localhost:8080/webjars/github-buttons/2.14.1/dist/buttons.js (200 OK)
	http://localhost:8080/webjars/jquery/3.6.3/jquery.js (200 OK)
IGNORE: User Controllable HTML Element Attribute (Potential XSS) [10031] x 6 
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Non-Storable Content [10049] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Cookie without SameSite Attribute [10054] x 1 
	http://localhost:8080/challenge/0 (200 OK)
IGNORE: CSP: Wildcard Directive [10055] x 12 
	http://localhost:8080 (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/robots.txt (404 Not Found)
	http://localhost:8080/sitemap.xml (404 Not Found)
	http://localhost:8080 (200 OK)
IGNORE: Permissions Policy Header Not Set [10063] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Modern Web Application [10109] x 11 
	http://localhost:8080 (200 OK)
	http://localhost:8080/ (200 OK)
	http://localhost:8080/challenge/0 (200 OK)
	http://localhost:8080/challenge/1 (200 OK)
	http://localhost:8080/challenge/2 (200 OK)
IGNORE: Dangerous JS Functions [10110] x 1 
	http://localhost:8080/webjars/jquery/3.6.3/jquery.js (200 OK)
IGNORE: Loosely Scoped Cookie [90033] x 1 
	http://localhost:8080/challenge/0 (200 OK)

Any possible solutions?

Needs further investigation per issue.

If the bug is confirmed, would you be willing to submit a PR?

Yes

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesthacktoberfesthelp wantedExtra attention is needed

Type

No type

Projects

Kanban board

Status

To do

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions