/alerttags/api_2023_api8/ Recent content in API_2023_API8 on ZAP Hugo en-us /docs/alerts/90034/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/90034/ <p>The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address &lsquo;169.254.169.254&rsquo; - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.</p> /docs/alerts/0/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/0/ <p>It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.</p> /docs/alerts/50007-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/50007-1/ <p>The GraphQL endpoint has Introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, etc. supported by the GraphQL endpoint. This may be valuable to an attacker, as it could enable them to craft more targeted queries.</p>