-
Notifications
You must be signed in to change notification settings - Fork 3
/
zapKnownIssues.xml
525 lines (525 loc) · 50.5 KB
/
zapKnownIssues.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
<?xml version="1.0"?><OWASPZAPReport version="D-2019-08-19" generated="Wed, 21 Aug 2019 21:27:29">
<site name="https://div-rfe-aat.service.core-compute-aat.internal" host="div-rfe-aat.service.core-compute-aat.internal" port="443" ssl="true"><alerts><alertitem>
<pluginid>10096</pluginid>
<alert>Timestamp Disclosure - Unix</alert>
<name>Timestamp Disclosure - Unix</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<desc><p>A timestamp was disclosed by the application/web server - Unix</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>00000000</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence>20110525</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>20000000</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>200000001</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence>20030331</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<evidence>93824767</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence>20110929</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence>233028270</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<evidence>93824767</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>0000000002</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<evidence>93824767</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>00000010</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>000000000</evidence>
</instance>
</instances>
<count>13</count>
<solution><p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p></solution>
<otherinfo><p>00000000, which evaluates to: 1970-01-01 00:00:00</p></otherinfo>
<reference><p>https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure</p><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10037</pluginid>
<alert>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</alert>
<name>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/favicon.ico</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/sitemap.xml</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/govuk-apple-touch-icon-180x180.png</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/robots.txt</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.css</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/govuk-apple-touch-icon.png</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/govuk-apple-touch-icon-152x152.png</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/govuk-apple-touch-icon-167x167.png</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/images/govuk-mask-icon.svg</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/noJS.png</uri>
<method>GET</method>
<evidence>X-Powered-By: ASP.NET</evidence>
</instance>
</instances>
<count>16</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.</p></solution>
<reference><p>http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx</p><p>http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alert>CSP Scanner: script-src unsafe-inline</alert>
<name>CSP Scanner: script-src unsafe-inline</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<desc><p>script-src includes unsafe-inline.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/sitemap.xml</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/noJS.png</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
</instances>
<count>5</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p></reference>
<cweid>16</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>20012</pluginid>
<alert>Anti CSRF Tokens Scanner</alert>
<name>Anti CSRF Tokens Scanner</name>
<riskcode>3</riskcode>
<confidence>2</confidence>
<riskdesc>High (Medium)</riskdesc>
<desc><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p> * The victim has an active session on the target site.</p><p> * The victim is authenticated via HTTP auth on the target site.</p><p> * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
<evidence><form></evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p></solution>
<reference><p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p></reference>
<cweid>352</cweid>
<wascid>9</wascid>
<sourceid>1</sourceid>
</alertitem>
<alertitem>
<pluginid>10054</pluginid>
<alert>Cookie Without SameSite Attribute</alert>
<name>Cookie Without SameSite Attribute</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/sitemap.xml</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/sitemap.xml</uri>
<method>GET</method>
<param>session</param>
<evidence>Set-Cookie: session</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<param>__state</param>
<evidence>Set-Cookie: __state</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<param>i18n</param>
<evidence>Set-Cookie: i18n</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/</uri>
<method>GET</method>
<param>__state</param>
<evidence>Set-Cookie: __state</evidence>
</instance>
</instances>
<count>14</count>
<solution><p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p></solution>
<reference><p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p></reference>
<cweid>16</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alert>CSP Scanner: Wildcard Directive</alert>
<name>CSP Scanner: Wildcard Directive</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<desc><p>The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: </p><p>style-src, style-src-elem, style-src-attr, frame-ancestor, object-src, manifest-src, prefetch-src</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/sitemap.xml</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/noJS.png</uri>
<method>GET</method>
<param>Content-Security-Policy</param>
<evidence>font-src 'self' data:; script-src 'self' 'unsafe-inline' www.google-analytics.com hmctspiwik.useconnect.co.uk www.googletagmanager.com; connect-src 'self'; media-src 'self'; frame-src 'none'; img-src 'self' www.google-analytics.com hmctspiwik.useconnect.co.uk</evidence>
</instance>
</instances>
<count>5</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p></reference>
<cweid>16</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10010</pluginid>
<alert>Cookie No HttpOnly Flag</alert>
<name>Cookie No HttpOnly Flag</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<param>__state</param>
<evidence>Set-Cookie: __state</evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that the HttpOnly flag is set for all cookies.</p></solution>
<reference><p>http://www.owasp.org/index.php/HttpOnly</p></reference>
<cweid>16</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10011</pluginid>
<alert>Cookie Without Secure Flag</alert>
<name>Cookie Without Secure Flag</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal</uri>
<method>GET</method>
<param>__state</param>
<evidence>Set-Cookie: __state</evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.</p></solution>
<reference><p>http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)</p></reference>
<cweid>614</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10017</pluginid>
<alert>Cross-Domain JavaScript Source File Inclusion</alert>
<name>Cross-Domain JavaScript Source File Inclusion</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>The page includes one or more script files from a third-party domain.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/cookie</uri>
<method>GET</method>
<param>https://www.googletagmanager.com/gtag/js?id=UA-93824767-2</param>
<evidence><script async src="https://www.googletagmanager.com/gtag/js?id=UA-93824767-2"></script></evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/privacy-policy</uri>
<method>GET</method>
<param>https://www.googletagmanager.com/gtag/js?id=UA-93824767-2</param>
<evidence><script async src="https://www.googletagmanager.com/gtag/js?id=UA-93824767-2"></script></evidence>
</instance>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/terms-and-conditions</uri>
<method>GET</method>
<param>https://www.googletagmanager.com/gtag/js?id=UA-93824767-2</param>
<evidence><script async src="https://www.googletagmanager.com/gtag/js?id=UA-93824767-2"></script></evidence>
</instance>
</instances>
<count>3</count>
<solution><p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.</p></solution>
<reference><p></p></reference>
<cweid>829</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10027</pluginid>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>2</confidence>
<riskdesc>Informational (Medium)</riskdesc>
<desc><p>The response appears to contain suspicious comments which may help an attacker.</p></desc>
<instances>
<instance>
<uri>https://div-rfe-aat.service.core-compute-aat.internal/assets/main.js</uri>
<method>GET</method>
</instance>
</instances>
<count>1</count>
<solution><p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p></solution>
<otherinfo><p> // For CommonJS and CommonJS-like environments where a proper `window`</p><p> // Return just the one element from the set</p><p> select,</p><p> // We use this for POS matching in `select`</p><p> rinputs = /^(?:input|select|textarea|button)$/i,</p><p> // Return early from calls with invalid selector or context</p><p> // (excepting DocumentFragment context, where the methods don't exist)</p><p> // TODO: identify versions</p><p> // TODO: identify versions</p><p> return select( selector.replace( rtrim, "$1" ), context, results, seed );</p><p> // Remove from its parent by default</p><p> // Where there is no isDisabled, check manually</p><p> // https://bugs.jquery.com/ticket/4833</p><p> // We allow this because of a bug in IE8/9 that throws an error</p><p> // See https://bugs.jquery.com/ticket/13378</p><p> // Regex strategy adopted from Diego Perini</p><p> // Select is set to empty string on purpose</p><p> // https://bugs.jquery.com/ticket/12359</p><p> "<select id='" + expando + "-\r\\' msallowcapture=''>" +</p><p> "<option selected=''></option></select>";</p><p> // IE8 throws error here and will not see later tests</p><p> // https://bugs.webkit.org/show_bug.cgi?id=136851</p><p> "<select disabled='disabled'><option/></select>";</p><p> // IE8 throws error here and will not see later tests</p><p> // Can be adjusted by the user</p><p> /* matches from matchExpr["CHILD"]</p><p> // Strip excess characters from unquoted arguments</p><p> // Get excess from tokenize (recursively)</p><p> // Seek `elem` from a previously-cached index</p><p> // Fallback to seeking `elem` from the start</p><p> // Use the same loop as above to seek `elem` from the start</p><p> // Remember that setFilters inherits from pseudos</p><p> // The user may use createPseudo to indicate that</p><p> // We can't set arbitrary data on XML nodes, so they don't benefit from combinator caching</p><p> // Get initial elements from seed or context</p><p> // Move matched elements from seed to results to keep them synchronized</p><p> // The foundational matcher ensures that elements are reachable from top-level context(s)</p><p> // case, which will result in a "00" `matchedCount` that differs from `i` but is also</p><p>select = Sizzle.select = function( selector, context, results, seed ) {</p><p>// Give the init function the jQuery prototype for later instantiation</p><p> // Methods guaranteed to produce a unique set when starting from a unique set</p><p> // Convert options from String-formatted to Object-formatted if needed</p><p> // If we have memory from a past run, we should fire after adding</p><p> // Remove a callback from the list</p><p> // Remove all callbacks from the list</p><p> // Re-resolve promises immediately to dodge false rejection from</p><p>// Catch cases where $(document).ready() is called</p><p> // In cases where either:</p><p> // from DOM nodes, so set to undefined instead</p><p> // https://bugs.chromium.org/p/chromium/issues/detail?id=378607 (bug restricted)</p><p>// 3. Use the same single mechanism to support "private" and "user" data.</p><p>// 4. _Never_ expose "private" data to user code (TODO: Drop _data, _removeData)</p><p>// 5. Avoid exposing implementation details on user objects (eg. expando properties)</p><p> // data from the HTML5 data-* attribute</p><p> // Make sure we set the data so it isn't changed later</p><p> // TODO: Now that all calls to _data and _removeData have been replaced</p><p> // Attempt to get data from the cache</p><p> // Add a progress sentinel to prevent the fx queue from being</p><p> // isHiddenWithinTree might be called from jQuery#filter function;</p><p> // Halve the iteration target value to prevent interference from CSS upper bounds (gh-2144)</p><p> // Iteratively approximate from a nonzero starting point</p><p> // Make sure we update the tween properties later on</p><p> option: [ 1, "<select multiple='multiple'>", "</select>" ],</p><p> // Remove wrapper from fragment</p><p>// https://bugs.jquery.com/ticket/13393</p><p> // Make sure that the handler has a unique ID, used to find/remove it later</p><p> // Detach an event or set of events from an element</p><p> // Make a writable jQuery.Event from the native event object</p><p> // Prevent triggered image.load events from bubbling to window.load</p><p> // from an async native handler (gh-4350)</p><p> // (focus or blur), assume that the surrogate already propagated from triggering the</p><p> // native event and prevent that from happening again here.</p><p>// https://bugs.chromium.org/p/chromium/issues/detail?id=470258</p><p>// for the description of the bug (it existed in older Chrome versions as well).</p><p> // 2. Copy user data</p><p>// Fix IE bugs, see support tests</p><p> // Keep references to cloned scripts for later restoration</p><p> // Copy the events from the original to the clone</p><p> // Where available, offsetWidth/offsetHeight approximate border box dimensions.</p><p> // Where not available (e.g., SVG), assume unreliable box-sizing and interpret the</p><p> // We should always get a number back from opacity</p><p> // want to query the value if it is a CSS custom property</p><p> // since they are user-defined.</p><p> // Fixes bug #9237</p><p> // If a hook was provided get the non-computed value from there</p><p> // Otherwise just get the value from the style object</p><p> // since they are user-defined.</p><p> // If a hook was provided get the computed value from there</p><p> // Use .style if available and use plain properties where available.</p><p> // there is still data from a stopped show/hide</p><p> // from identically-valued overflowX and overflowY and Edge just mirrors</p><p> // Archaic crash bug won't allow us to use `1 - ( 0.5 || 0 )` (#12497)</p><p> // Attach callbacks from options</p><p> select = document.createElement( "select" ),</p><p> opt = select.appendChild( document.createElement( "option" ) );</p><p> // Must access selectedIndex to make default options select</p><p> // Avoid an infinite loop by temporarily removing this function from the getter</p><p>var rfocusable = /^(?:input|select|textarea|button)$/i,</p><p> // Handle cases where value is null/undef or number</p><p> select: {</p><p> one = elem.type === "select-one",</p><p> // Don't do default actions on window, that's where global variables be (#6170)</p><p>// Related ticket - https://bugs.chromium.org/p/chromium/issues/detail?id=449857</p><p> rsubmittable = /^(?:input|select|textarea|keygen)/i;</p><p>// key/values into a query string</p><p> // Convert response if prev dataType is non-auto and differs from current</p><p> error: conv ? e : "No conversion from " + prev + " to " + current</p><p> username: null,</p><p> // and/or If-None-Match header later on</p><p> // Extract error from statusText and normalize for non-aborts</p><p> // Make this explicit, since user can override this through ajaxSetup (#11264)</p><p> options.username,</p><p>// https://bugs.webkit.org/show_bug.cgi?id=137337</p><p> // Stop scripts or inline event handlers from being executed immediately</p><p> // user can override it through ajaxSetup method</p><p> // position:fixed elements are offset from the viewport, which itself always has zero offset</p><p>// Webkit bug: https://bugs.webkit.org/show_bug.cgi?id=29084</p><p>// Blink bug: https://bugs.chromium.org/p/chromium/issues/detail?id=589347</p><p> "change select submit keydown keypress keyup contextmenu" ).split( " " ),</p><p>// derived from file names, and jQuery is normally delivered in a lowercase</p><p> * TODO: Ideally this would be a NodeList.prototype.forEach polyfill</p><p>// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Object/defineProperty/detect.js</p><p>// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Object.defineProperty&flags=always</p><p> // Where native support exists, assume it</p><p> // Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Function/prototype/bind/detect.js</p><p> // Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Function.prototype.bind&flags=always</p><p> var isCallable; /* inlined from https://npmjs.com/is-callable */ var fnToStr = Function.prototype.toString, tryFunctionObject = function tryFunctionObject(value) { try { fnToStr.call(value); return true; } catch (e) { return false; } }, fnClass = '[object Function]', genClass = '[object GeneratorFunction]'; isCallable = function isCallable(value) { if (typeof value !== 'function') { return false; } if (hasToStringTag) { return tryFunctionObject(value); } var strClass = to_string.call(value); return strClass === fnClass || strClass === genClass; };</p><p> // XXX slicedArgs will stand in for "A" if used</p><p> // XXX Build a dynamic function with desired amount of arguments is the only</p><p> // In environments where Content Security Policies enabled (Chrome extensions,</p><p> // TODO</p><p> // TODO</p><p> // TODO</p><p> // XXX can't delete prototype in pure-js.</p><p> // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/master/packages/polyfill-library/polyfills/DOMTokenList/detect.js</p><p> // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/master/packages/polyfill-library/polyfills/DOMTokenList/polyfill.js</p><p>// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Document/detect.js</p><p>// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Document&flags=always</p><p>// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Element/detect.js</p><p>// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Element&flags=always</p><p> // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/8717a9e04ac7aff99b4980fbedead98036b0929a/packages/polyfill-library/polyfills/Element/prototype/classList/detect.js</p><p> // Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Element.prototype.classList&flags=always</p><p> /** Prevent this from firing twice for some reason. What the hell, IE. */</p><p> * select lists).</p><p> // Copy all attributes (https://developer.mozilla.org/en-US/docs/Web/API/Element/attributes) from $span to $button</p><p> // Only set the state when both `contentId` and `contentState` are taken from the DOM.</p><p>// Read the state of the accordions from sessionStorage</p><p>// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Window/detect.js</p><p>// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Window&flags=always</p><p>// Detection from https://github.com/Financial-Times/polyfill-service/blob/master/packages/polyfill-library/polyfills/Event/detect.js</p><p>// Polyfill from https://cdn.polyfill.io/v2/polyfill.js?features=Event&flags=always</p><p> * will tell a user to press space on a 'button', so this functionality needs to be shimmed</p><p> // If the timer is still running then we want to prevent the click from submitting the form</p><p>* this will help listening for later inserted elements with a role="button"</p><p> // Prevent space from scrolling the page</p><p> // and enter from submitting a form</p><p>* Remove the click event from the node element</p><p> // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/matches/detect.js</p><p> // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/matches/polyfill.js</p><p> // Detection from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/closest/detect.js</p><p> // Polyfill from https://raw.githubusercontent.com/Financial-Times/polyfill-service/1f3c09b402f65bf6e393f933a15ba63f1b86ef1f/packages/polyfill-library/polyfills/Element/prototype/closest/polyfill.js</p><p> * or legends appear above the input, this means the user will be presented with</p><p> // Prefer using the history API where possible, as updating</p><p> * Get fragment from URL</p><p> * Extract the fragment (everything after the hash) from a URL, but not including</p><p> * @returns {string} Fragment from URL, without the hash</p><p> * Returns the first element that exists from this list:</p><p> // so the page doesn't jump when a user clicks a tab (which changes the hash)</p><p> // Allow the user to initialise GOV.UK Frontend in only certain sections of the page</p><p> // Select content for this control</p><p></p></otherinfo>
<reference><p></p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
</alerts></site><site name="https://idam-web-public.aat.platform.hmcts.net" host="idam-web-public.aat.platform.hmcts.net" port="443" ssl="true"><alerts><alertitem>
<pluginid>10016</pluginid>
<alert>Web Browser XSS Protection Not Enabled</alert>
<name>Web Browser XSS Protection Not Enabled</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server</p></desc>
<instances>
<instance>
<uri>https://idam-web-public.aat.platform.hmcts.net/login?client_id=divorce&redirect_uri=https%3A%2F%2Fdiv-rfe-aat.service.core-compute-aat.internal%2Fauthenticated&response_type=code&state=2e27d0cf-3745-4816-ac64-04b2c8761bda</uri>
<method>GET</method>
<param>X-XSS-Protection</param>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.</p></solution>
<otherinfo><p>The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it: </p><p>X-XSS-Protection: 1; mode=block</p><p>X-XSS-Protection: 1; report=http://www.example.com/xss</p><p>The following values would disable it:</p><p>X-XSS-Protection: 0</p><p>The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).</p><p>Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).</p></otherinfo>
<reference><p>https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</p><p>https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/</p></reference>
<cweid>933</cweid>
<wascid>14</wascid>
<sourceid>3</sourceid>
</alertitem>
</alerts></site></OWASPZAPReport>