OWASP_2025_A08 on ZAP

Cross-Domain JavaScript Source File Inclusion

Mon, 01 Jan 0001 00:00:00 +0000

The page includes one or more script files from a third-party domain.

Emails Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Email addresses were found being serialized in the viewstate field.

Insecure JSF ViewState

Mon, 01 Jan 0001 00:00:00 +0000

The response at the following URL contains a ViewState value that has no cryptographic protections.

Loosely Scoped Cookie

Mon, 01 Jan 0001 00:00:00 +0000

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Old Asp.Net Version in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET version 1.0 or 1.1.

Potential IP Addresses Found in the Viewstate

Mon, 01 Jan 0001 00:00:00 +0000

Potential IP addresses were found being serialized in the viewstate field.

Split Viewstate in Use

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate and its value is split into several chunks.

Viewstate without MAC Signature (Sure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but without any MAC.

Viewstate without MAC Signature (Unsure)

Mon, 01 Jan 0001 00:00:00 +0000

This website uses ASP.NET’s Viewstate but maybe without any MAC.