ZAPContents
+ +About this report
+ +Report description
+
+
+
+
+ + + OWASP ZAP report of minitwit + +
+ +Report parameters
+
+
+ Contexts
+ + +No contexts were selected, so all contexts were included by default.
+ + +Sites
+ +The following sites were included:
+-
+
- http://164.90.223.49:8080 +
(If no sites were selected, all sites were included by default.)
+An included site must also be within one of the included contexts for its data to be included in the report.
+ +Risk levels
++ Included: + + High, Medium, Low, Informational +
++ Excluded: + None + +
+ +Confidence levels
++ Included: + + + User Confirmed, High, Medium, Low +
++ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +
+Summaries
+ +Alert counts by risk and confidence
+| + | Confidence | +|||||
|---|---|---|---|---|---|---|
| User Confirmed | +High | +Medium | +Low | +Total | +||
| Risk | +High | +0 (0,0 %) |
+ 0 (0,0 %) |
+ 0 (0,0 %) |
+ 0 (0,0 %) |
+ 0 (0,0 %) |
+
| Medium | +0 (0,0 %) |
+ 1 (14,3 %) |
+ 1 (14,3 %) |
+ 1 (14,3 %) |
+ 3 (42,9 %) |
+ |
| Low | +0 (0,0 %) |
+ 0 (0,0 %) |
+ 3 (42,9 %) |
+ 0 (0,0 %) |
+ 3 (42,9 %) |
+ |
| Informational | +0 (0,0 %) |
+ 0 (0,0 %) |
+ 1 (14,3 %) |
+ 0 (0,0 %) |
+ 1 (14,3 %) |
+ |
| Total | +0 (0,0 %) |
+ 1 (14,3 %) |
+ 5 (71,4 %) |
+ 1 (14,3 %) |
+ 7 (100%) |
+ |
Alert counts by site and risk
+| + | Risk | +||||
|---|---|---|---|---|---|
|
+ High (= High) + |
+
+ Medium (>= Medium) + |
+
+ Low (>= Low) + |
+
+ Informational (>= Informational) + |
+ ||
| Site | +http://164.90.223.49:8080 | + +0 (0) |
+ 3 (3) |
+ 3 (6) |
+ 1 (7) |
+
+
Alert counts by alert type
+| Alert type | +Risk | +Count | +
|---|---|---|
| Content Security Policy (CSP) Header Not Set | +Medium | +34 (485,7 %) |
+
| Fravær af Anti-CSRF Tokens | +Medium | +2 (28,6 %) |
+
| Missing Anti-clickjacking Header | +Medium | +34 (485,7 %) |
+
| Cookie No HttpOnly Flag | +Low | +1 (14,3 %) |
+
| Cookie without SameSite Attribute | +Low | +1 (14,3 %) |
+
| X-Content-Type-Options Header Missing | +Low | +35 (500,0 %) |
+
| User Agent Fuzzer | +Informational | +24 (342,9 %) |
+
| Total | ++ | 7 | +
Alerts
+-
+
+
+
+
+
+
-
+
+ Risk=Medium, Confidence=High (1) +
+-
+
+
-
+
+ http://164.90.223.49:8080 (1) +
+-
+
+
-
+
+ Content Security Policy (CSP) Header Not Set (1) +
+-
+
- +
+ GET http://164.90.223.49:8080 +
+ ++
+ ++ +Alert tags ++ + ++ + +Alert description ++ +Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
++ +Request +Request line and header section (205 bytes)
+ +
+ + +GET http://164.90.223.49:8080 HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache + ++Request body (0 bytes)
+ +
+ + ++ + + + +Response +Status line and header section (118 bytes)
+ +
+ + +HTTP/1.1 200 OK +Content-Type: text/html; charset=utf-8 +Date: Wed, 29 Mar 2023 15:19:19 GMT +Content-Length: 9748 + ++Response body (9748 bytes)
+ +
+ + ++<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel=stylesheet type=text/css href="static/style.css"> +</head> +<div class=page> + <h1>MiniTwit</h1> + +<div class=navigation> + + <a href="/public">public timeline</a> | + <a href="/register">sign up</a> | + <a href="/login">sign in</a> + +</div> + + +<title>Timeline</title> +<h2>Timeline</h2> + +<ul class="messages"> + + <li> + <img src="http://www.gravatar.com/avatar/69a0729a26d70a8ee6ad7696b7aed833?d=identicon&s=48" /> + <p> + <strong><a href="/Dottie%20Herley">Dottie Herley</a></strong> + Jones yelled to them again, showed a light in the poison before I go,” said the inspector, with amusement. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/39b67cacef99b87ef8789efc83439cda?d=identicon&s=48" /> + <p> + <strong><a href="/Jose%20Kundinger">Jose Kundinger</a></strong> + Then they all agreed that he had been left in you.” + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/3719326fb7259141cd8ead98ddc9be66?d=identicon&s=48" /> + <p> + <strong><a href="/Dorene%20Laskoskie">Dorene Laskoskie</a></strong> + Gar! you’ll be all this desolate vacuity of life has been turned into a roar of laughter. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/7705e86d0254f2eb8e35c3e20ce178c1?d=identicon&s=48" /> + <p> + <strong><a href="/Russ%20Ducey">Russ Ducey</a></strong> + To this one matter, Ahab seemed no more to blame than you, Watson. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/6f110804cbfdfea91036f246341cb5a6?d=identicon&s=48" /> + <p> + <strong><a href="/Keith%20Gerlt">Keith Gerlt</a></strong> + You’ve got to the riggers at the top of a shudder! + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/34baa4041538aeeec0b0f90f930207c3?d=identicon&s=48" /> + <p> + <strong><a href="/Zoe%20Hanchett">Zoe Hanchett</a></strong> + This train stops at Canterbury; and there are none; the horizon lie a long rifle slung over his heart full of confusion and alarm. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/a264fc1ee2f9aa17d23fff1d9f5e9bd2?d=identicon&s=48" /> + <p> + <strong><a href="/Mellie%20Hurl">Mellie Hurl</a></strong> + The fact is, your Grace,” said he, ‘if you can hardly imagine a town practitioner carrying it. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/2095bc98ffba4e6e15dc3a1166ac1be1?d=identicon&s=48" /> + <p> + <strong><a href="/Kelley%20Schappach">Kelley Schappach</a></strong> + It was after five o'clock when Sherlock Holmes waved away the tied tendons that all was dark blue, the maker’s name was Hugh Pattins. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/2b6ace58c8287b3c1a7959f8e3bc683a?d=identicon&s=48" /> + <p> + <strong><a href="/Sanford%20Mcquigg">Sanford Mcquigg</a></strong> + He had been said. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Marietta%20Weitzner">Marietta Weitzner</a></strong> + “What you say you can leave me to be a small wooden thicket, which led from the Shaster, which gives him far from its end. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/9fa0445925f163078efed38fb004187e?d=identicon&s=48" /> + <p> + <strong><a href="/Deandre%20Dickun">Deandre Dickun</a></strong> + ’Tis but to and be at work in my life.” + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/d9afc8aea07d3521cf47f17fe650cb1e?d=identicon&s=48" /> + <p> + <strong><a href="/Blaine%20Ehrman">Blaine Ehrman</a></strong> + So now we have to do. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Domenic%20Osmun">Domenic Osmun</a></strong> + He struck a chill to the bottom of the stable-lads held the small local storekeepers made up my pen to write every day. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/109ca698afe87f0629430385f574596a?d=identicon&s=48" /> + <p> + <strong><a href="/Lyn%20Labossiere">Lyn Labossiere</a></strong> + In his singular introspective fashion. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/a34aad12db3c32d79140dfb08cac0115?d=identicon&s=48" /> + <p> + <strong><a href="/Buster%20Ogram">Buster Ogram</a></strong> + From that hour we were to say so. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/6808d5a3a8ebd7f64742c33fb432fc3d?d=identicon&s=48" /> + <p> + <strong><a href="/Jayson%20Greenley">Jayson Greenley</a></strong> + Holmes nodded his acquiescence. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/6ad6cc0d392a5b3592f169ce2ae1c370?d=identicon&s=48" /> + <p> + <strong><a href="/Dave%20Sersen">Dave Sersen</a></strong> + Then he could give us time,” he said. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/b12a257c9048f5e7c74146c3f447479e?d=identicon&s=48" /> + <p> + <strong><a href="/Kurt%20Holmon">Kurt Holmon</a></strong> + “Well, what’s the report?” said Peleg when I awoke, and I know enough about your business! + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/7041a878047e22e953555cc90f06d1b6?d=identicon&s=48" /> + <p> + <strong><a href="/Manual%20Mcglade">Manual Mcglade</a></strong> + 72,000 lbs. of stock fish. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/60f70a5f148df35427b6761772ca914a?d=identicon&s=48" /> + <p> + <strong><a href="/Cristi%20Laflamme">Cristi Laflamme</a></strong> + Stubb was but a stage in his breath the whole furniture. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/0e5d6bb39dc8c8e083b4fc1d4dbccd3c?d=identicon&s=48" /> + <p> + <strong><a href="/Claudio%20Stadheim">Claudio Stadheim</a></strong> + That hazard shall not be darted at him in the daytime. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/9753d289b674fa16f37b1e50c635672d?d=identicon&s=48" /> + <p> + <strong><a href="/Kris%20Hudson">Kris Hudson</a></strong> + “Why should you hold it here; he knows.” + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/9a4184a6c4616f7cc67575a44c3bed4e?d=identicon&s=48" /> + <p> + <strong><a href="/Un%20Vaissiere">Un Vaissiere</a></strong> + I glanced for an instant as fast as a passenger; nor, though I am not free to utter one, was unheard. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Emmaline%20Mcdiarmid">Emmaline Mcdiarmid</a></strong> + “A good deal, and we settled at Bentley’s private hotel. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/26f9a15e1ddc449315d52c0e07521e49?d=identicon&s=48" /> + <p> + <strong><a href="/Tiffiny%20Tullis">Tiffiny Tullis</a></strong> + Not a fatter fish than he, Flounders round the corner of the Drama “Have you sent to his burrow.” + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/f4467d9b81f34a329caeed39b524bdc1?d=identicon&s=48" /> + <p> + <strong><a href="/Karlyn%20Flaharty">Karlyn Flaharty</a></strong> + “One other thing, Lestrade,” he added, motioning to me or my wife’s maid, during the night. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/832e2e40f3dbfb10a3135e3066dd6d3e?d=identicon&s=48" /> + <p> + <strong><a href="/Marcelino%20Hagey">Marcelino Hagey</a></strong> + Where the two deal chairs and tables small clams will sometimes pass on to the main-royal mast-head, was tossing one arm for the gallows. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/443ccce8417f194472fcd630dee30c96?d=identicon&s=48" /> + <p> + <strong><a href="/Hans%20Konma">Hans Konma</a></strong> + Sherlock Holmes said that the initials S.W.F. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Lashandra%20Palomo">Lashandra Palomo</a></strong> + This would be an accomplice, and will be even with you I can talk freely of what seemed a little heap of correspondence. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/460a0935e8ac8c0d8f2317cbad16920a?d=identicon&s=48" /> + <p> + <strong><a href="/Aubrey%20Lacsamana">Aubrey Lacsamana</a></strong> + Well, Mr. Holmes, in a wild thrill as this man had offered me a true account of her own home. + <small>— 29 Mar 2023 15:13</small> + + </li> + </p> + </li> +</ul> + + +<div class=footer> + MiniTwit — A Gin-gonic Application +</div> +</div> + ++ +Solution ++ +Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.
+
+
+
+
+
+ -
+
+
+ -
+
-
+
+ Risk=Medium, Confidence=Medium (1) +
+-
+
+
-
+
+ http://164.90.223.49:8080 (1) +
+-
+
+
-
+
+ Missing Anti-clickjacking Header (1) +
+-
+
- +
+ GET http://164.90.223.49:8080 +
+ ++
+ ++ +Alert tags ++ + ++ + +Alert description ++ +The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
++ +Request +Request line and header section (205 bytes)
+ +
+ + +GET http://164.90.223.49:8080 HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache + ++Request body (0 bytes)
+ +
+ + ++ +Response +Status line and header section (118 bytes)
+ +
+ + +HTTP/1.1 200 OK +Content-Type: text/html; charset=utf-8 +Date: Wed, 29 Mar 2023 15:19:19 GMT +Content-Length: 9748 + ++Response body (9748 bytes)
+ +
+ + ++<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel=stylesheet type=text/css href="static/style.css"> +</head> +<div class=page> + <h1>MiniTwit</h1> + +<div class=navigation> + + <a href="/public">public timeline</a> | + <a href="/register">sign up</a> | + <a href="/login">sign in</a> + +</div> + + +<title>Timeline</title> +<h2>Timeline</h2> + +<ul class="messages"> + + <li> + <img src="http://www.gravatar.com/avatar/69a0729a26d70a8ee6ad7696b7aed833?d=identicon&s=48" /> + <p> + <strong><a href="/Dottie%20Herley">Dottie Herley</a></strong> + Jones yelled to them again, showed a light in the poison before I go,” said the inspector, with amusement. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/39b67cacef99b87ef8789efc83439cda?d=identicon&s=48" /> + <p> + <strong><a href="/Jose%20Kundinger">Jose Kundinger</a></strong> + Then they all agreed that he had been left in you.” + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/3719326fb7259141cd8ead98ddc9be66?d=identicon&s=48" /> + <p> + <strong><a href="/Dorene%20Laskoskie">Dorene Laskoskie</a></strong> + Gar! you’ll be all this desolate vacuity of life has been turned into a roar of laughter. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/7705e86d0254f2eb8e35c3e20ce178c1?d=identicon&s=48" /> + <p> + <strong><a href="/Russ%20Ducey">Russ Ducey</a></strong> + To this one matter, Ahab seemed no more to blame than you, Watson. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/6f110804cbfdfea91036f246341cb5a6?d=identicon&s=48" /> + <p> + <strong><a href="/Keith%20Gerlt">Keith Gerlt</a></strong> + You’ve got to the riggers at the top of a shudder! + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/34baa4041538aeeec0b0f90f930207c3?d=identicon&s=48" /> + <p> + <strong><a href="/Zoe%20Hanchett">Zoe Hanchett</a></strong> + This train stops at Canterbury; and there are none; the horizon lie a long rifle slung over his heart full of confusion and alarm. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/a264fc1ee2f9aa17d23fff1d9f5e9bd2?d=identicon&s=48" /> + <p> + <strong><a href="/Mellie%20Hurl">Mellie Hurl</a></strong> + The fact is, your Grace,” said he, ‘if you can hardly imagine a town practitioner carrying it. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/2095bc98ffba4e6e15dc3a1166ac1be1?d=identicon&s=48" /> + <p> + <strong><a href="/Kelley%20Schappach">Kelley Schappach</a></strong> + It was after five o'clock when Sherlock Holmes waved away the tied tendons that all was dark blue, the maker’s name was Hugh Pattins. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/2b6ace58c8287b3c1a7959f8e3bc683a?d=identicon&s=48" /> + <p> + <strong><a href="/Sanford%20Mcquigg">Sanford Mcquigg</a></strong> + He had been said. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Marietta%20Weitzner">Marietta Weitzner</a></strong> + “What you say you can leave me to be a small wooden thicket, which led from the Shaster, which gives him far from its end. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/9fa0445925f163078efed38fb004187e?d=identicon&s=48" /> + <p> + <strong><a href="/Deandre%20Dickun">Deandre Dickun</a></strong> + ’Tis but to and be at work in my life.” + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/d9afc8aea07d3521cf47f17fe650cb1e?d=identicon&s=48" /> + <p> + <strong><a href="/Blaine%20Ehrman">Blaine Ehrman</a></strong> + So now we have to do. + <small>— 29 Mar 2023 15:15</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Domenic%20Osmun">Domenic Osmun</a></strong> + He struck a chill to the bottom of the stable-lads held the small local storekeepers made up my pen to write every day. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/109ca698afe87f0629430385f574596a?d=identicon&s=48" /> + <p> + <strong><a href="/Lyn%20Labossiere">Lyn Labossiere</a></strong> + In his singular introspective fashion. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/a34aad12db3c32d79140dfb08cac0115?d=identicon&s=48" /> + <p> + <strong><a href="/Buster%20Ogram">Buster Ogram</a></strong> + From that hour we were to say so. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/6808d5a3a8ebd7f64742c33fb432fc3d?d=identicon&s=48" /> + <p> + <strong><a href="/Jayson%20Greenley">Jayson Greenley</a></strong> + Holmes nodded his acquiescence. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/6ad6cc0d392a5b3592f169ce2ae1c370?d=identicon&s=48" /> + <p> + <strong><a href="/Dave%20Sersen">Dave Sersen</a></strong> + Then he could give us time,” he said. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/b12a257c9048f5e7c74146c3f447479e?d=identicon&s=48" /> + <p> + <strong><a href="/Kurt%20Holmon">Kurt Holmon</a></strong> + “Well, what’s the report?” said Peleg when I awoke, and I know enough about your business! + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/7041a878047e22e953555cc90f06d1b6?d=identicon&s=48" /> + <p> + <strong><a href="/Manual%20Mcglade">Manual Mcglade</a></strong> + 72,000 lbs. of stock fish. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/60f70a5f148df35427b6761772ca914a?d=identicon&s=48" /> + <p> + <strong><a href="/Cristi%20Laflamme">Cristi Laflamme</a></strong> + Stubb was but a stage in his breath the whole furniture. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/0e5d6bb39dc8c8e083b4fc1d4dbccd3c?d=identicon&s=48" /> + <p> + <strong><a href="/Claudio%20Stadheim">Claudio Stadheim</a></strong> + That hazard shall not be darted at him in the daytime. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/9753d289b674fa16f37b1e50c635672d?d=identicon&s=48" /> + <p> + <strong><a href="/Kris%20Hudson">Kris Hudson</a></strong> + “Why should you hold it here; he knows.” + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/9a4184a6c4616f7cc67575a44c3bed4e?d=identicon&s=48" /> + <p> + <strong><a href="/Un%20Vaissiere">Un Vaissiere</a></strong> + I glanced for an instant as fast as a passenger; nor, though I am not free to utter one, was unheard. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Emmaline%20Mcdiarmid">Emmaline Mcdiarmid</a></strong> + “A good deal, and we settled at Bentley’s private hotel. + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/26f9a15e1ddc449315d52c0e07521e49?d=identicon&s=48" /> + <p> + <strong><a href="/Tiffiny%20Tullis">Tiffiny Tullis</a></strong> + Not a fatter fish than he, Flounders round the corner of the Drama “Have you sent to his burrow.” + <small>— 29 Mar 2023 15:14</small> + + <li> + <img src="http://www.gravatar.com/avatar/f4467d9b81f34a329caeed39b524bdc1?d=identicon&s=48" /> + <p> + <strong><a href="/Karlyn%20Flaharty">Karlyn Flaharty</a></strong> + “One other thing, Lestrade,” he added, motioning to me or my wife’s maid, during the night. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/832e2e40f3dbfb10a3135e3066dd6d3e?d=identicon&s=48" /> + <p> + <strong><a href="/Marcelino%20Hagey">Marcelino Hagey</a></strong> + Where the two deal chairs and tables small clams will sometimes pass on to the main-royal mast-head, was tossing one arm for the gallows. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/443ccce8417f194472fcd630dee30c96?d=identicon&s=48" /> + <p> + <strong><a href="/Hans%20Konma">Hans Konma</a></strong> + Sherlock Holmes said that the initials S.W.F. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/97dfebf4098c0f5c16bca61e2b76c373?d=identicon&s=48" /> + <p> + <strong><a href="/Lashandra%20Palomo">Lashandra Palomo</a></strong> + This would be an accomplice, and will be even with you I can talk freely of what seemed a little heap of correspondence. + <small>— 29 Mar 2023 15:13</small> + + <li> + <img src="http://www.gravatar.com/avatar/460a0935e8ac8c0d8f2317cbad16920a?d=identicon&s=48" /> + <p> + <strong><a href="/Aubrey%20Lacsamana">Aubrey Lacsamana</a></strong> + Well, Mr. Holmes, in a wild thrill as this man had offered me a true account of her own home. + <small>— 29 Mar 2023 15:13</small> + + </li> + </p> + </li> +</ul> + + +<div class=footer> + MiniTwit — A Gin-gonic Application +</div> +</div> + ++ + + +Parameter +X-Frame-Options+ +Solution ++ +Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+ +If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+
+
+
+
+
+ -
+
+
+ -
+
-
+
+ Risk=Medium, Confidence=Low (1) +
+-
+
+
-
+
+ http://164.90.223.49:8080 (1) +
+-
+
+
-
+
+ Fravær af Anti-CSRF Tokens (1) +
+-
+
- +
+ GET http://164.90.223.49:8080/register +
+ ++
+ ++ +Alert tags ++ + ++ +Alert description ++ +Ingen Anti-CSRF Tokens blev fundet i HTML formularerne.
+ +A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.
+ +CSRF attacks are effective in a number of situations, including:
+ +* The victim has an active session on the target site.
+ +* The victim is authenticated via HTTP auth on the target site.
+ +* The victim is on the same local network as the target site.
+ +CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
++ +Other info ++ +Ingen kendte Anti-CSRF tokens [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] blev fundet i følgende HTML formularer: [Form 1: "email" "password" "password2" "username" ].
++ +Request +Request line and header section (257 bytes)
+ +
+ + +GET http://164.90.223.49:8080/register HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache +Referer: http://164.90.223.49:8080/public + ++Request body (0 bytes)
+ +
+ + ++ + + +Response +Status line and header section (117 bytes)
+ +
+ + +HTTP/1.1 200 OK +Content-Type: text/html; charset=utf-8 +Date: Wed, 29 Mar 2023 15:19:20 GMT +Content-Length: 982 + ++Response body (982 bytes)
+ +
+ + ++<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel=stylesheet type=text/css href="static/style.css"> +</head> +<div class=page> + <h1>MiniTwit</h1> + +<div class=navigation> + + <a href="/public">public timeline</a> | + <a href="/register">sign up</a> | + <a href="/login">sign in</a> + +</div> + + +<title>Sign up | MiniTwit</title> +<h2>Sign Up</h2> + +<form action="/register" method=post> + <dl> + <dt>Username: + <dd><input type=text name=username size=30 required> + <dt>E-Mail: + <dd><input type=text name=email size=30 required> + <dt>Password: + <dd><input type=password name=password size=30 required> + <dt>Password <small>(repeat)</small>: + <dd><input type=password name=password2 size=30 required> + </dl> + <div class=actions><input type=submit value="Sign Up"></div> +</form> + +<div class=footer> + MiniTwit — A Gin-gonic Application +</div> +</div> ++ +Evidence +<form action="/register" method=post>+ +Solution ++ +Phase: Architecture and Design
+ +Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+ +For example, use anti-CSRF packages such as the OWASP CSRFGuard.
+ +Phase: Implementation
+ +Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.
+ +Phase: Architecture and Design
+ +Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).
+ +Note that this can be bypassed using XSS.
+ +Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
+ +Note that this can be bypassed using XSS.
+ +Use the ESAPI Session Management control.
+ +This control includes a component for CSRF.
+ +Do not use the GET method for any request that triggers a state change.
+ +Phase: Implementation
+ +Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
+
+
+
+
+
+ -
+
+
+
+
+
+
+
+ -
+
-
+
+ Risk=Low, Confidence=Medium (3) +
+-
+
+
-
+
+ http://164.90.223.49:8080 (3) +
+-
+
+
-
+
+ Cookie No HttpOnly Flag (1) +
+-
+
- +
+ POST http://164.90.223.49:8080/login +
+ ++
+ ++ +Alert tags ++ + ++ + +Alert description ++ +A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
++ +Request +Request line and header section (323 bytes)
+ +
+ + +POST http://164.90.223.49:8080/login HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache +Content-Type: application/x-www-form-urlencoded +Referer: http://164.90.223.49:8080/login +Content-Length: 25 + ++Request body (25 bytes)
+ +
+ + +username=ZAP&password=ZAP+ +Response +Status line and header section (827 bytes)
+ +
+ + +HTTP/1.1 301 Moved Permanently +Location: /public +Set-Cookie: session=MTY4MDEwMzE2OHxEdi1CQkFFQ180SUFBUkFCRUFBQV9nRXRfNElBQVFaemRISnBibWNNQmdBRWRYTmxjZ2RiWFhWcGJuUTRDdjRCRGdELUFRcDdJa2xFSWpveE9UazRPQ3dpUTNKbFlYUmxaRUYwSWpvaU1qQXlNeTB3TXkweU9WUXhOVG94T1RveU9DNDBNemt3TXpGYUlpd2lWWEJrWVhSbFpFRjBJam9pTWpBeU15MHdNeTB5T1ZReE5Ub3hPVG95T0M0ME16a3dNekZhSWl3aVJHVnNaWFJsWkVGMElqcHVkV3hzTENKVmMyVnlibUZ0WlNJNklscEJVQ0lzSWtWdFlXbHNJam9pWm05dkxXSmhja0JsZUdGdGNHeGxMbU52YlNJc0lsQjNTR0Z6YUNJNklpUXlZU1F4TUNSdU16bDBSbTV3ZEhSM2NYWjZWV2xQWVZJeExsVXVhVmgzYTJabFVtWkVkRmw2WVZWVVFsQmtaRXRUZUc4NVRsZ3ZWV05OWlNJc0lrMWxjM05oWjJWeklqcHVkV3hzTENKR2IyeHNiM2RwYm1keklqcHVkV3hzZlE9PXzOxTTFQdR39XWcr_t3YpwRigoROTYsVhBzU0XTPxIcOA==; Path=/; Expires=Fri, 28 Apr 2023 15:19:28 GMT; Max-Age=2592000 +Date: Wed, 29 Mar 2023 15:19:28 GMT +Content-Length: 0 + ++Response body (0 bytes)
+ +
+ + ++ + +Parameter +session+ +Evidence +Set-Cookie: session+ +Solution ++ +Ensure that the HttpOnly flag is set for all cookies.
+
+
+
+ -
+
+ Cookie without SameSite Attribute (1) +
+-
+
- +
+ POST http://164.90.223.49:8080/login +
+ ++
+ ++ +Alert tags ++ + ++ + +Alert description ++ +A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request.
+ +The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
++ +Request +Request line and header section (323 bytes)
+ +
+ + +POST http://164.90.223.49:8080/login HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache +Content-Type: application/x-www-form-urlencoded +Referer: http://164.90.223.49:8080/login +Content-Length: 25 + ++Request body (25 bytes)
+ +
+ + +username=ZAP&password=ZAP+ +Response +Status line and header section (827 bytes)
+ +
+ + +HTTP/1.1 301 Moved Permanently +Location: /public +Set-Cookie: session=MTY4MDEwMzE2OHxEdi1CQkFFQ180SUFBUkFCRUFBQV9nRXRfNElBQVFaemRISnBibWNNQmdBRWRYTmxjZ2RiWFhWcGJuUTRDdjRCRGdELUFRcDdJa2xFSWpveE9UazRPQ3dpUTNKbFlYUmxaRUYwSWpvaU1qQXlNeTB3TXkweU9WUXhOVG94T1RveU9DNDBNemt3TXpGYUlpd2lWWEJrWVhSbFpFRjBJam9pTWpBeU15MHdNeTB5T1ZReE5Ub3hPVG95T0M0ME16a3dNekZhSWl3aVJHVnNaWFJsWkVGMElqcHVkV3hzTENKVmMyVnlibUZ0WlNJNklscEJVQ0lzSWtWdFlXbHNJam9pWm05dkxXSmhja0JsZUdGdGNHeGxMbU52YlNJc0lsQjNTR0Z6YUNJNklpUXlZU1F4TUNSdU16bDBSbTV3ZEhSM2NYWjZWV2xQWVZJeExsVXVhVmgzYTJabFVtWkVkRmw2WVZWVVFsQmtaRXRUZUc4NVRsZ3ZWV05OWlNJc0lrMWxjM05oWjJWeklqcHVkV3hzTENKR2IyeHNiM2RwYm1keklqcHVkV3hzZlE9PXzOxTTFQdR39XWcr_t3YpwRigoROTYsVhBzU0XTPxIcOA==; Path=/; Expires=Fri, 28 Apr 2023 15:19:28 GMT; Max-Age=2592000 +Date: Wed, 29 Mar 2023 15:19:28 GMT +Content-Length: 0 + ++Response body (0 bytes)
+ +
+ + ++ + +Parameter +session+ +Evidence +Set-Cookie: session+ +Solution ++ +Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
+
+
+
+ -
+
+ X-Content-Type-Options Header Missing (1) +
+-
+
- +
+ GET http://164.90.223.49:8080/register +
+ ++
+ ++ +Alert tags ++ + ++ +Alert description ++ +The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
++ +Other info ++ +This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
+ +At "High" threshold this scan rule will not alert on client or server error responses.
++ +Request +Request line and header section (257 bytes)
+ +
+ + +GET http://164.90.223.49:8080/register HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 +Pragma: no-cache +Cache-Control: no-cache +Referer: http://164.90.223.49:8080/public + ++Request body (0 bytes)
+ +
+ + ++ +Response +Status line and header section (117 bytes)
+ +
+ + +HTTP/1.1 200 OK +Content-Type: text/html; charset=utf-8 +Date: Wed, 29 Mar 2023 15:19:20 GMT +Content-Length: 982 + ++Response body (982 bytes)
+ +
+ + ++<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel=stylesheet type=text/css href="static/style.css"> +</head> +<div class=page> + <h1>MiniTwit</h1> + +<div class=navigation> + + <a href="/public">public timeline</a> | + <a href="/register">sign up</a> | + <a href="/login">sign in</a> + +</div> + + +<title>Sign up | MiniTwit</title> +<h2>Sign Up</h2> + +<form action="/register" method=post> + <dl> + <dt>Username: + <dd><input type=text name=username size=30 required> + <dt>E-Mail: + <dd><input type=text name=email size=30 required> + <dt>Password: + <dd><input type=password name=password size=30 required> + <dt>Password <small>(repeat)</small>: + <dd><input type=password name=password2 size=30 required> + </dl> + <div class=actions><input type=submit value="Sign Up"></div> +</form> + +<div class=footer> + MiniTwit — A Gin-gonic Application +</div> +</div> ++ + + +Parameter +X-Content-Type-Options+ +Solution ++ +Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
+ +If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
+
+
+
+
+
+ -
+
+
+
+
+
+
+
+
+
+ -
+
-
+
+ Risk=Informational, Confidence=Medium (1) +
+-
+
+
-
+
+ http://164.90.223.49:8080 (1) +
+-
+
+
-
+
+ User Agent Fuzzer (1) +
+-
+
- +
+ POST http://164.90.223.49:8080/register +
+ ++
+ ++ +Alert tags ++ + ++ + +Alert description ++ +Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
++ +Request +Request line and header section (299 bytes)
+ +
+ + +POST http://164.90.223.49:8080/register HTTP/1.1 +Host: 164.90.223.49:8080 +User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) +Pragma: no-cache +Cache-Control: no-cache +Content-Type: application/x-www-form-urlencoded +Referer: http://164.90.223.49:8080/register +Content-Length: 67 + ++Request body (67 bytes)
+ +
+ + +username=ZAP&email=foo-bar%40example.com&password=ZAP&password2=ZAP+ +Response +Status line and header section (127 bytes)
+ +
+ + +HTTP/1.1 400 Bad Request +Content-Type: text/html; charset=utf-8 +Date: Wed, 29 Mar 2023 15:21:47 GMT +Content-Length: 1058 + ++Response body (1058 bytes)
+ +
+ + ++<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <link rel=stylesheet type=text/css href="static/style.css"> +</head> +<div class=page> + <h1>MiniTwit</h1> + +<div class=navigation> + + <a href="/public">public timeline</a> | + <a href="/register">sign up</a> | + <a href="/login">sign in</a> + +</div> + + +<title>Sign up | MiniTwit</title> +<h2>Sign Up</h2> +<div class=error><strong>Error:</strong> The username is already taken</div> +<form action="/register" method=post> + <dl> + <dt>Username: + <dd><input type=text name=username size=30 required> + <dt>E-Mail: + <dd><input type=text name=email size=30 required> + <dt>Password: + <dd><input type=password name=password size=30 required> + <dt>Password <small>(repeat)</small>: + <dd><input type=password name=password2 size=30 required> + </dl> + <div class=actions><input type=submit value="Sign Up"></div> +</form> + +<div class=footer> + MiniTwit — A Gin-gonic Application +</div> +</div> ++ +Parameter +Header User-Agent+ + + +Attack +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+
+
+
+
+ -
+
+
+
+
+ -
+
Appendix
+ +Alert types
+This section contains additional information on the types of alerts in the report.
+-
+
-
+
Content Security Policy (CSP) Header Not Set
++
++ +Source ++ + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + + ++ +CWE ID +693 ++ +WASC ID +15 ++ +Reference ++ +-
+
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy +
- https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html +
- http://www.w3.org/TR/CSP/ +
- http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html +
- http://www.html5rocks.com/en/tutorials/security/content-security-policy/ +
- http://caniuse.com/#feat=contentsecuritypolicy +
- http://content-security-policy.com/ +
+ -
+
Fravær af Anti-CSRF Tokens
++
++ +Source ++ + raised by a passive scanner (Fravær af Anti-CSRF Tokens) + + ++ +CWE ID +352 ++ +WASC ID +9 ++ +Reference ++ + +
+ -
+
Missing Anti-clickjacking Header
++
++ +Source ++ + raised by a passive scanner (Anti-clickjacking Header) + + ++ +CWE ID +1021 ++ +WASC ID +15 ++ +Reference ++ + +
+ -
+
Cookie No HttpOnly Flag
++
++ +Source ++ + raised by a passive scanner (Cookie No HttpOnly Flag) + + ++ +CWE ID +1004 ++ +WASC ID +13 ++ +Reference ++ + +
+ -
+
Cookie without SameSite Attribute
++
++ +Source ++ + raised by a passive scanner (Cookie without SameSite Attribute) + + ++ +CWE ID +1275 ++ +WASC ID +13 ++ +Reference ++ + +
+ -
+
X-Content-Type-Options Header Missing
++
++ +Source ++ + raised by a passive scanner (X-Content-Type-Options Header Missing) + + ++ +CWE ID +693 ++ +WASC ID +15 ++ +Reference ++ + +
+ -
+
User Agent Fuzzer
++
++ + + +Source ++ + raised by an active scanner (User Agent Fuzzer) + + ++ +Reference ++ + +
+