OWASP_2025_A02 on ZAP

.env Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

.htaccess Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

Anti-CSRF Tokens Check

Mon, 01 Jan 0001 00:00:00 +0000

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Application Error Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Backup File Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

A backup of the file was disclosed by the web server.

Charset Mismatch

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.

Charset Mismatch (Header Versus Meta Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Header Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)

Mon, 01 Jan 0001 00:00:00 +0000

Cloud Metadata Potentially Exposed

Mon, 01 Jan 0001 00:00:00 +0000

The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure. All of these providers provide metadata via an internal unroutable IP address ‘169.254.169.254’ - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.

Content Security Policy (CSP) Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Content Security Policy (CSP) Report-Only Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The response contained a Content-Security-Policy-Report-Only header, this may indicate a work-in-progress implementation, or an oversight in promoting pre-Prod to Prod, etc.

Content-Type Header Empty

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Content-Type Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Content-Type header was either missing or empty.

Cookie No HttpOnly Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Cookie Slack Detector

Mon, 01 Jan 0001 00:00:00 +0000

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Cookie Without Secure Flag

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Cross-Domain Misconfiguration - Adobe - Read

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Adobe - Send

Mon, 01 Jan 0001 00:00:00 +0000

Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

Cross-Domain Misconfiguration - Silverlight

Mon, 01 Jan 0001 00:00:00 +0000

Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server.

CSP: Failure to Define Directive with No Fallback

Mon, 01 Jan 0001 00:00:00 +0000

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

CSP: Header & Meta

Mon, 01 Jan 0001 00:00:00 +0000

The message contained both CSP specified via header and via Meta tag. It was not possible to union these policies in order to perform an analysis. Therefore, they have been evaluated individually.

CSP: Malformed Policy (Non-ASCII)

Mon, 01 Jan 0001 00:00:00 +0000

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

CSP: Meta Policy Invalid Directive

Mon, 01 Jan 0001 00:00:00 +0000

The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

CSP: Notices

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-eval

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: script-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-hashes

Mon, 01 Jan 0001 00:00:00 +0000

CSP: style-src unsafe-inline

Mon, 01 Jan 0001 00:00:00 +0000

CSP: Wildcard Directive

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-Content-Security-Policy

Mon, 01 Jan 0001 00:00:00 +0000

CSP: X-WebKit-CSP

Mon, 01 Jan 0001 00:00:00 +0000

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information.

ELMAH Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Exposed Secrets in Swagger/OpenAPI Path

Mon, 01 Jan 0001 00:00:00 +0000

Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.

GraphQL Endpoint Supports Introspection

Mon, 01 Jan 0001 00:00:00 +0000

The GraphQL endpoint has Introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, etc. supported by the GraphQL endpoint. This may be valuable to an attacker, as it could enable them to craft more targeted queries.

Hidden File Found

Mon, 01 Jan 0001 00:00:00 +0000

A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.

Httpoxy - Proxy Header Misuse

Mon, 01 Jan 0001 00:00:00 +0000

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to:

Proxy the outgoing HTTP requests made by the web application
Direct the server to open outgoing connections to an address and port of their choosing or
Tie up server resources by forcing the vulnerable software to use a malicious proxy.

In Page Banner Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.

Insecure HTTP Method

Mon, 01 Jan 0001 00:00:00 +0000

The most common methodology for attackers is to first footprint the target’s web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host.

Missing Anti-clickjacking Header

Mon, 01 Jan 0001 00:00:00 +0000

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Modern Web Application

Mon, 01 Jan 0001 00:00:00 +0000

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

Multiple X-Frame-Options Header Entries

Mon, 01 Jan 0001 00:00:00 +0000

X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.

Obsolete Content Security Policy (CSP) Header Found

Mon, 01 Jan 0001 00:00:00 +0000

The “X-Content-Security-Policy” and “X-WebKit-CSP” headers are no longer recommended.

Possible Username Enumeration

Mon, 01 Jan 0001 00:00:00 +0000

It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the ‘Attack Strength’ Option in ZAP. Please manually check the ‘Other Info’ field to confirm if this is actually an issue.

Properties File Disclosure - /WEB-INF folder

Mon, 01 Jan 0001 00:00:00 +0000

A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys.

Proxy Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

Relative Path Confusion

Mon, 01 Jan 0001 00:00:00 +0000

The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct “relative path” for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the “cross-content” response in a permissive manner, or can be tricked into permissively parsing the “cross-content” response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.

Secure Pages Include Mixed Content

Mon, 01 Jan 0001 00:00:00 +0000

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Server Leaks its Webserver Application via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking the application it uses as a webserver via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to. This information alone, i.e. without a version string, is not very dangerous for the security of a server, nevertheless this information in the response header field is almost always useless and thus just an obsolete attacking vector.

Server Leaks Version Information via "Server" HTTP Response Header Field

Mon, 01 Jan 0001 00:00:00 +0000

The web/application server is leaking version information via the “Server” HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

Source Code Disclosure - /WEB-INF Folder

Mon, 01 Jan 0001 00:00:00 +0000

Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code.

Source Code Disclosure - CVE-2012-1823

Mon, 01 Jan 0001 00:00:00 +0000

Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped “=” character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML.

Source Code Disclosure - File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Source Code Disclosure - Git

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Source Code Disclosure - PHP

Mon, 01 Jan 0001 00:00:00 +0000

Application Source Code was disclosed by the web server. - PHP

Source Code Disclosure - SVN

Mon, 01 Jan 0001 00:00:00 +0000

The source code for the current page was disclosed by the web server.

Spring Actuator Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Strict-Transport-Security Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) META tag was found, defining HTTP Strict Transport Security (HSTS) via a META tag is explicitly not supported by the spec (RFC 6797).

Strict-Transport-Security Disabled

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains the directive max-age=0 which disables the control and instructs browsers to reset any previous HSTS related settings. See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

Strict-Transport-Security Header on Plain HTTP Response

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but HSTS headers are ignored on plain (non-HTTPS) responses. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Malformed Content (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters.

Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Missing Max-Age (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

A HTTP Strict Transport Security (HSTS) header was found, but it is missing the max-age directive (or the directive is missing a value). See RFC 6797 for further details. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Strict-Transport-Security Multiple Header Entries (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Strict Transport Security (HSTS) headers were found, a response with multiple HSTS header entries is not compliant with the specification (RFC 6797) and only the first HSTS header will be processed others will be ignored by user agents or the HSTS policy may be incorrectly applied. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).

Sub Resource Integrity Attribute Missing

Mon, 01 Jan 0001 00:00:00 +0000

The integrity attribute is missing on a script or link tag served by an external server. The integrity tag prevents an attacker who have gained access to this server from injecting a malicious content.

Trace.axd Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.

Vulnerable Swagger UI Version Detected

Mon, 01 Jan 0001 00:00:00 +0000

This Swagger UI version is known to contain vulnerabilities. Exploitation may allow unauthorized access, XSS, or token theft.

Affected versions:

Swagger UI v2 < 2.2.10
Swagger UI v3 < 3.24.3

WSDL File Detection

Mon, 01 Jan 0001 00:00:00 +0000

A WSDL File has been detected.

X-AspNet-Version Response Header

Mon, 01 Jan 0001 00:00:00 +0000

Server leaks information via “X-AspNet-Version”/“X-AspNetMvc-Version” HTTP response header field(s).

X-Backend-Server Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems.

X-Content-Type-Options Header Missing

Mon, 01 Jan 0001 00:00:00 +0000

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to ’nosniff’. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

X-Frame-Options Defined via META (Non-compliant with Spec)

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).

X-Frame-Options Setting Malformed

Mon, 01 Jan 0001 00:00:00 +0000

An X-Frame-Options header was present in the response but the value was not correctly set.