OWASP_2025_A06 on ZAP

Big Redirect Detected (Potential Sensitive Information Leak)

Mon, 01 Jan 0001 00:00:00 +0000

The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.).

Cross-Origin-Embedder-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don’t explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Opener-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

Cross-Origin-Resource-Policy Header Missing or Invalid

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin-Resource-Policy header is an opt-in header designed to counter side-channels attacks like Spectre. Resource should be specifically set as shareable amongst different origins.

Dangerous JS Functions

Mon, 01 Jan 0001 00:00:00 +0000

A dangerous JS function seems to be in use that would leave the site vulnerable.

Emails Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Email addresses were found being serialized in the viewstate field.

Exponential Entity Expansion (Billion Laughs Attack)

Mon, 01 Jan 0001 00:00:00 +0000

An exponential entity expansion, or “billion laughs” attack is a type of denial-of-service (DoS) attack. It is aimed at parsers of markup languages like XML or YAML that allow macro expansions.

GET for POST

Mon, 01 Jan 0001 00:00:00 +0000

A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

GraphQL Circular Type Reference

Mon, 01 Jan 0001 00:00:00 +0000

A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions.

Hash Disclosure - MD4 / MD5

Mon, 01 Jan 0001 00:00:00 +0000

A hash was disclosed by the web server. - MD4 / MD5

HTTP Parameter Override

Mon, 01 Jan 0001 00:00:00 +0000

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable.

Insecure JSF ViewState

Mon, 01 Jan 0001 00:00:00 +0000

The response at the following URL contains a ViewState value that has no cryptographic protections.

Java Serialization Object

Mon, 01 Jan 0001 00:00:00 +0000

Java Serialization seems to be in use. If not correctly validated, an attacker can send a specially crafted object. This can lead to a dangerous “Remote Code Execution”. A magic sequence identifying JSO has been detected (Base64: rO0AB, Raw: 0xac, 0xed, 0x00, 0x05).

Multiple HREFs Redirect Detected (Potential Sensitive Information Leak)

Mon, 01 Jan 0001 00:00:00 +0000

The server has responded with a redirect that seems to contain multiple links. This may indicate that although the server sent a redirect it also responded with body content links (which may include sensitive details, PII, lead to admin panels, etc.).

Old Asp.Net Version in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET version 1.0 or 1.1.

Parameter Tampering

Mon, 01 Jan 0001 00:00:00 +0000

Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit.

PII Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data.

Potential IP Addresses Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Potential IP addresses were found being serialized in the viewstate field.

Reverse Tabnabbing

Mon, 01 Jan 0001 00:00:00 +0000

At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the “noopener” and “noreferrer” keywords in the “rel” attribute, which allows the target page to take control of this page.

Split Viewstate in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate and its value is split into several chunks.

Viewstate without MAC Signature (Sure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but without any MAC.

Viewstate without MAC Signature (Unsure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but maybe without any MAC.

X-ChromeLogger-Data (XCOLD) Header Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.