ZAP – Username Hash Found

Details
Alert Id	10057
Alert Type	Passive
Status	release
Risk	Informational
CWE	284
WASC	2
Technologies Targeted	All
Tags	CUSTOM_PAYLOADS OWASP_2017_A05 OWASP_2021_A01 WSTG-V42-ATHZ-04

Summary

A hash of a username (admin) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Solution

Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.

Other Info

The hash was an SHA1, with value: d033e22ae348aeb5660fc2140aec35850c4da997

References

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html

Code

org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java